CVE-2025-25341
Segmentation Fault DoS in libxmljs 1.0.11 XML Parsing
Publication date: 2025-12-26
Last updated on: 2025-12-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libxmljs | libxmljs | 1.0.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in libxmljs version 1.0.11 and occurs when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault, which can crash the application.
How can this vulnerability impact me? :
The vulnerability can lead to a denial-of-service (DoS) condition by causing the application to crash due to a segmentation fault when processing malicious XML input.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if parsing specially crafted XML documents containing entity references causes a segmentation fault or crashes the Node.js process using libxmljs 1.0.11. A proof-of-concept involves parsing an XML document with an entity declaration and then accessing the internal `_ref` property on `entity_ref` or `entity_decl` nodes, for example by logging these nodes. There are no specific network detection commands provided. A suggested command in a Node.js environment would be to run a script that parses such crafted XML and accesses the `_ref` property to observe if a crash occurs. [1]
What immediate steps should I take to mitigate this vulnerability?
No fix or mitigation is indicated in the available report. Immediate steps would include avoiding accessing the internal `_ref` property on `entity_ref` and `entity_decl` nodes when parsing XML documents with libxmljs 1.0.11, and avoiding logging or otherwise interacting with these nodes in a way that triggers the segmentation fault. Monitoring for crashes and limiting exposure to untrusted XML input may help reduce risk until a fix is available. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.