CVE-2025-24855

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.4 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://gitlab.gnome.org/GNOME/libxslt/-/issues/128	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*

History

22 Oct 2025, 19:09

Type	Values Removed	Values Added
Summary		(es) numbers.c en libxslt anterior a la versión 1.1.43 tiene un método de uso después de la liberación porque, en evaluaciones XPath anidadas, un nodo de contexto XPath puede modificarse, pero nunca restaurarse. Esto está relacionado con xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs y xsltComputeSortResultInternal.
First Time		Xmlsoft Xmlsoft libxslt
References	~~() https://gitlab.gnome.org/GNOME/libxslt/-/issues/128 -~~	() https://gitlab.gnome.org/GNOME/libxslt/-/issues/128 - Exploit, Issue Tracking, Vendor Advisory
CPE		cpe:2.3:a:xmlsoft:libxslt::::::::

14 Mar 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-14 02:15

Updated : 2025-10-22 19:09

NVD link : CVE-2025-24855

Mitre link : CVE-2025-24855

CVE.ORG link : CVE-2025-24855

JSON object : View

Products Affected

xmlsoft

libxslt

CWE

CWE-416

Use After Free

{"id": "CVE-2025-24855", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.8, "exploitabilityScore": 1.4}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-03-14T02:15:15.717", "references": [{"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/128", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal."}, {"lang": "es", "value": "numbers.c en libxslt anterior a la versi\u00f3n 1.1.43 tiene un m\u00e9todo de uso despu\u00e9s de la liberaci\u00f3n porque, en evaluaciones XPath anidadas, un nodo de contexto XPath puede modificarse, pero nunca restaurarse. Esto est\u00e1 relacionado con xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs y xsltComputeSortResultInternal."}], "lastModified": "2025-10-22T19:09:07.097", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEA1BBB0-7A2D-4692-9A66-E59385990224", "versionEndExcluding": "1.1.43"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}