PT-2025-29101 · Libxslt+10 · Libxslt+10
Sergei Glazunov
·
Published
2025-04-15
·
Updated
2026-05-08
·
CVE-2025-7425
CVSS v3.1
7.8
High
| Vector | AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
libxml2 and libxslt versions prior to 2.12.7+dfsg+really2.9.14-0.4ubuntu0.4
libxslt versions 1.1.35-1.2+deb13u1
libxml2 versions prior to 2.9.14+dfsg-1.3~deb12u4
libxml2 versions prior to 2.12.7+dfsg+really2.9.14-2.1+deb13u1
SLE 15 SP7
Description
A heap use-after-free vulnerability exists in libxml2 and libxslt due to improper handling of attribute types, specifically the
atype flags. This flaw occurs when processing certain XSLT operations, leading to memory corruption. Exploitation can result in crashes or potentially allow an attacker to execute arbitrary code. The vulnerability impacts various systems, including AWS Lambda base images and Oracle Linux.Recommendations
Update libxml2 to version 2.12.7+dfsg+really2.9.14-0.4ubuntu0.4 or later.
Update libxslt to a version later than 1.1.35-1.2+deb13u1.
Update libxml2 to version 2.9.14+dfsg-1.3~deb12u4 or later.
Update libxml2 to version 2.12.7+dfsg+really2.9.14-2.1+deb13u1 or later.
Apply the security patches for SLE 15 SP7.
Exploit
Fix
RCE
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Almalinux
Centos
Debian
Java Platform
Linuxmint
Apple Macos
Red Hat
Rocky Linux
Suse
Ubuntu
Libxslt