CVE-2025-6497
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-23

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in HTACG tidy-html5 5.8.0. It has been rated as problematic. This issue affects the function prvTidyParseNamespace of the file src/parser.c. The manipulation leads to reachable assertion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-23
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2025-06-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-6497
EUVD
EUVD-2025-18860
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-6497 is an assertion failure vulnerability in HTACG tidy-html5 version 5.8.0, specifically in the function prvTidyParseNamespace within src/parser.c. The vulnerability occurs when the parser encounters a situation where a required parent node pointer is unexpectedly null or invalid during namespace parsing, causing an assertion to fail and the application to abort. This leads to a reachable assertion (CWE-617) that can be triggered by specially crafted input, causing the software to crash or exit unexpectedly. Exploitation requires local access, and a proof-of-concept exploit is publicly available. [1, 2, 3]


How can this vulnerability impact me? :

This vulnerability can impact you by causing a denial of service (DoS) condition. When exploited, the assertion failure causes the tidy-html5 application to crash or exit unexpectedly, affecting the availability of the software. Since the vulnerability requires local access to exploit, an attacker with local privileges could disrupt the normal operation of the software, potentially impacting systems or services relying on tidy-html5 for HTML parsing. [1, 2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by running the provided proof-of-concept exploit or fuzzing harness against the tidy-html5 binary to trigger the assertion failure. Specifically, compiling and running the fuzzing harness with AddressSanitizer and fuzzing instrumentation as described in Resource 3 can help detect the issue. Commands involve setting compiler flags (-fsanitize=address -fsanitize=fuzzer), compiling the fuzzing harness with Clang and libc++, and executing it with crafted input files that trigger the assertion failure in prvTidyParseNamespace. There are no known network detection commands since the exploit requires local access. [3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include considering replacing the affected tidy-html5 version 5.8.0 with an alternative or updated version if available, as no known countermeasures or patches currently exist. Since the vulnerability requires local access and is easy to exploit, restricting local access to trusted users and monitoring for attempts to run the proof-of-concept exploit can help reduce risk. Avoid processing untrusted input with the vulnerable tidy-html5 version until a fix is released. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart