VDB
DEBIAN-CVE-2025-9714
DEBIAN-CVE-2025-9714
PUBLISHED
CVSS 5.5 MEDIUM
Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.
Risk Scores
CVSS 3.1
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | libxml2 | 2.12.7+dfsg, 0, 2.12.7+dfsg+really2.9.14-2.1+deb13u1 |
| Debian:14 | libxml2 | 2.14.3+dfsg, 2.14.3+dfsg, 2.14.2+dfsg |
| Debian:12 | libxml2 | 2.9.14+dfsg, 0, 2.9.14+dfsg-1.3~deb12u3 |
| Debian:11 | libxml2 | 0, *, 2.9.10+dfsg-6.7+deb11u7 |
Exploit Intelligence
- TestCommand.yaml (github-poc)
Timeline
- Sep 10, 2025 CVE Published
- Apr 28, 2026 CVE Updated