CVE Catalog

CVE-2025-49794

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.67%

47th percentile - higher than 47% of all known CVEs

Summary

A use-after-free vulnerability was found in libxml2 when parsing XPath elements under certain circumstances with XML schematron containing <sch:name path="..."/> elements. This flaw allows a malicious actor to craft a malicious XML document that, when processed by libxml, can cause a program crash or other undefined behaviors.

Risk Assessment

The risk involves the possibility of remotely crashing applications using libxml2 (e.g., web servers, XML processing tools) by supplying a specially crafted XML document. This can lead to denial of service (DoS) or potentially other unspecified dangerous behaviors.

Recommendation

Immediately update the libxml2 library to the latest available version that includes a fix for CVE-2025-49794. Before applying the patch, consider restricting the processing of untrusted XML documents with schematron elements.

Original NVD description (English source)

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS