VDB
CVE-2025-67899
CVE-2025-67899
PUBLISHED
CVSS 2.9000000953674316 LOW
uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas.
EPSS 0.01% · 0.6th percentile
Risk Scores
CVSS 3.1
2.9000000953674316
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score
0.01%
0.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| uriparser_project | uriparser | |
| uriparser project | uriparser | 0 |
Exploit Intelligence
- CIRCL seen: CVE-2025-67899 (circl-sighting)
- CIRCL seen: CVE-2025-67899 (circl-sighting)
- CIRCL seen: CVE-2025-67899 (circl-sighting)
- http://www.openwall.com/lists/oss-security/2025/12/15/1 (circl)
- https://github.com/uriparser/uriparser/issues/282 (circl)
- https://github.com/uriparser/uriparser/pull/284 (circl)
Timeline
- Dec 14, 2025 CVE ID Reserved
- Dec 14, 2025 CVE Published
- Dec 15, 2025 EPSS Score
- Dec 15, 2025 PoC Published
- Dec 15, 2025 CVE Updated
- Dec 19, 2025 EPSS Score
- Dec 20, 2025 PoC Published
- Dec 21, 2025 PoC Published
- Dec 23, 2025 EPSS Score
- Dec 27, 2025 EPSS Score
- Dec 31, 2025 EPSS Score
- Jan 4, 2026 EPSS Score
References
- https://github.com/uriparser/uriparser/issues/282 url
- https://github.com/uriparser/uriparser/pull/284 url
- http://www.openwall.com/lists/oss-security/2025/12/15/1 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-67899 advisory
- https://www.php.net/ChangeLog-8.php#8.1.34 advisory
- https://www.php.net/ChangeLog-8.php#8.3.29 advisory
- https://www.php.net/ChangeLog-8.php#8.4.16 advisory
- https://www.php.net/ChangeLog-8.php#8.2.30 advisory
- https://www.php.net/ChangeLog-8.php#8.5.1 advisory