CVE-2025-24855

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.4 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://gitlab.gnome.org/GNOME/libxslt/-/issues/128	Exploit Issue Tracking Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*

History

03 Nov 2025, 22:18

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html -

Information

Published : 2025-03-14 02:15

Updated : 2025-11-03 22:18

NVD link : CVE-2025-24855

Mitre link : CVE-2025-24855

CVE.ORG link : CVE-2025-24855

JSON object : View

Products Affected

xmlsoft

libxslt

CWE

CWE-416

Use After Free

{"id": "CVE-2025-24855", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.8, "exploitabilityScore": 1.4}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-03-14T02:15:15.717", "references": [{"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/128", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal."}, {"lang": "es", "value": "numbers.c en libxslt anterior a la versi\u00f3n 1.1.43 tiene un m\u00e9todo de uso despu\u00e9s de la liberaci\u00f3n porque, en evaluaciones XPath anidadas, un nodo de contexto XPath puede modificarse, pero nunca restaurarse. Esto est\u00e1 relacionado con xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs y xsltComputeSortResultInternal."}], "lastModified": "2025-11-03T22:18:40.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEA1BBB0-7A2D-4692-9A66-E59385990224", "versionEndExcluding": "1.1.43"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}