CVE-2025-6496
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in HTACG tidy-html5 5.8.0. It has been declared as problematic. This vulnerability affects the function InsertNodeAsParent of the file src/parser.c. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-23
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-06-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6496
EUVD
EUVD-2025-18857
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-6496 is a null pointer dereference vulnerability in HTACG tidy-html5 version 5.8.0, specifically in the InsertNodeAsParent function in src/parser.c. When processing certain malformed or specially crafted HTML input, the function attempts to read from a null or invalid memory address, causing the application to crash (segmentation fault). This flaw affects the availability of the software by causing unexpected termination or denial of service. Exploitation requires local access, and a proof-of-concept exploit is publicly available. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can impact you by causing the tidy-html5 application to crash or exit unexpectedly when processing certain inputs, leading to a denial of service (DoS). Since it requires local access to exploit, an attacker with local privileges could disrupt the availability of the application or service relying on tidy-html5. It does not affect confidentiality or integrity, only availability. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by running the affected tidy-html5 version 5.8.0 with specially crafted input files that trigger the null pointer dereference in the InsertNodeAsParent function. Using fuzz testing tools such as OSS-Fuzz or AddressSanitizer with libFuzzer instrumentation can help identify the crash. There are no specific network detection commands since the exploit requires local access and affects application availability by causing a crash. You can test by running tidy-html5 on suspicious or malformed HTML input and monitoring for segmentation faults or crashes. Example command to test with a crafted input file: `tidy-html5 < crafted_input.html` and observe if the application crashes. [3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding the use of the affected tidy-html5 version 5.8.0 or replacing it with an alternative product, as no known patches or countermeasures currently exist. Restrict local access to the system running tidy-html5 to trusted users only, since exploitation requires local access. Monitor for application crashes and avoid processing untrusted or malformed HTML input until a fix is available. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart