CVE-2025-15646
Received Received - Intake

Heap Memory Disclosure in HTML::Gumbo Perl Module

Vulnerability report for CVE-2025-15646, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: CPANSec

Description

HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bestpractical html_gumbo to 0.19 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in HTML::Gumbo versions before 0.19 causes heap memory disclosure via type confusion when parsing input containing a <template> element. This could potentially lead to unintended exposure of sensitive data held in memory.

Such memory disclosure vulnerabilities may impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized access or leaks.

However, the provided information does not explicitly describe the nature of the data exposed or confirm if personal or regulated data is at risk, so the exact compliance impact cannot be determined from the given context.

Executive Summary

The vulnerability in HTML::Gumbo versions before 0.19 for Perl is caused by improper handling of the <template> element introduced in libgumbo 0.10.0. The walk_tree function did not recognize the template node type and treated it as a text node. This led to the use of strlen() on a pointer that caused an over-read of heap memory, disclosing parts of the heap.

Specifically, when parsing input containing a <template> element with the default format set to 'string' or 'tree', the function serializes the over-read bytes into the output, leaking bounded heap contents. Using the 'callback' format avoids this issue by croaking on the unhandled node type.

The root cause was that the walk_tree function only handled certain node types and missed the template node type, which was fixed by adding support for GUMBO_NODE_TEMPLATE to be processed like an element node.

Impact Analysis

This vulnerability can lead to unintended disclosure of heap memory contents when parsing HTML input containing <template> elements. An attacker could exploit this to gain access to sensitive information stored in the heap memory of the application using the vulnerable HTML::Gumbo library.

Such memory disclosure can compromise confidentiality and potentially aid further attacks by revealing internal data structures or secrets.

Detection Guidance

This vulnerability occurs when parsing HTML input containing a <template> element using vulnerable versions of HTML::Gumbo before 0.19. Detection involves identifying if your system uses an affected version of HTML::Gumbo and if it processes HTML inputs with <template> elements.

Since the issue is in the parsing library, direct network detection commands are not provided. However, you can check the installed version of HTML::Gumbo in your Perl environment with the following command:

  • perl -MHTML::Gumbo -e 'print $HTML::Gumbo::VERSION, "\n"'

If the version is before 0.19, your system is vulnerable. Additionally, you can test parsing of HTML containing a <template> element to see if heap memory is disclosed by running a Perl script that uses HTML::Gumbo to parse such input and inspecting the output for unexpected data.

Mitigation Strategies

The immediate mitigation step is to upgrade HTML::Gumbo to version 0.19 or later, where the vulnerability is fixed by properly handling the <template> element node type in the walk_tree() function.

If upgrading is not immediately possible, avoid parsing HTML inputs containing <template> elements with the vulnerable versions, or use the 'callback' format option in parse(), which is unaffected by this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15646. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart