#1109122 libxslt: CVE-2025-7425

Package:
src:libxslt
Source:
src:libxslt
Submitter:
Salvatore Bonaccorso
Date:
2026-01-06 16:55:04 UTC
Severity:
normal
Tags:
#1109122#5
Date:
2025-07-11 19:09:33 UTC
From:
To:
Hi,

The following vulnerability was published for libxslt.

CVE-2025-7425[0]:
| A flaw was found in libxslt where the attribute type, atype, flags
| are modified in a way that corrupts internal memory management. When
| XSLT functions, such as the key() process, result in tree fragments,
| this corruption prevents the proper cleanup of ID attributes. As a
| result, the system may access freed memory, causing crashes or
| enabling attackers to trigger heap corruption.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-7425
https://www.cve.org/CVERecord?id=CVE-2025-7425
[1] https://gitlab.gnome.org/GNOME/libxslt/-/issues/140

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1109122#10
Date:
2025-08-29 16:02:43 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1109122@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 Aug 2025 19:38:04 +0800
Source: libxml2
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-2.1+deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Closes: 1109122
Changes:
 libxml2 (2.12.7+dfsg+really2.9.14-2.1+deb13u1) trixie-security; urgency=high
 .
   * CVE-2025-7425: heap-use-after-free in xmlFreeID caused by `atype`
     corruption (Closes: #1109122)
Checksums-Sha1:
 3839e979ccc0144aad08518d43cfdec6e78bc2fd 2721 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.dsc
 b41615e638174b4e36845c68d4b305dd6a6b541f 2351200 libxml2_2.12.7+dfsg+really2.9.14.orig.tar.xz
 dceb3a6db8211dac7c078eb82766d031d7d812f6 48728 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.debian.tar.xz
 f2ec2f458c3dfbb2bd0420d9dbbf584602a7e6b0 5305 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1_source.buildinfo
Checksums-Sha256:
 1b5ebd1dc73f27d0633797781d3a9304c8d25a4ace8ca32c44a8247757e92b0c 2721 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.dsc
 4fe913dec8b1ab89d13b489b419a8203176ea39e931eaa0d25b17eafb9c279e9 2351200 libxml2_2.12.7+dfsg+really2.9.14.orig.tar.xz
 1d83110ae29224c4e74d16f74296491b769120d3fdebe5c893c3389e49e4f51e 48728 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.debian.tar.xz
 ed104570a7fb042fd4e633dedaa125fe0919d60e218454317252c1005ad7f051 5305 libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1_source.buildinfo
Files:
 b1a74d43b23c036625ce057220b0f40c 2721 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.dsc
 bbcae2f48d1c9b1413ef953ce87e9346 2351200 libs optional libxml2_2.12.7+dfsg+really2.9.14.orig.tar.xz
 fd365b1a632edbf27e2906e87ce92ebb 48728 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1.debian.tar.xz
 948bfb2e87ca207fc0db0394e6b5ebfc 5305 libs optional libxml2_2.12.7+dfsg+really2.9.14-2.1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEBLHAyuu1xqoC2aJ5NP8o68vMTMgFAmisTAIACgkQNP8o68vM
TMiSGgf/ddTaURtgG0OhaCyEnRWy28e6y3hEPx0n0Ke6+Ct7y9cb0Pn6FUTlDKrI
Jvj7fkQ8+s5l6B4bsBADMFBB94s8S8xZtvW0Lp7+K5xZS1ikxjujWy6lUhH8pMBH
tpTTGCDwNWAfSdzJaabqYjhojuuqa0k4oJ/nNTMoUTv2SDHU6fZ3inmmeXcF67lv
koaJmNs3heKS6nrNEcaRfntwi0tz4BakXv5VdYkQWMGS8Z8XLTDjzrioD4SiD2T/
ZzPNvBFJIGdxNtL0wdHIUpJirYybyIrTpkPYZY1XzZLHHymXdCJK+x8ogtbL48uQ
9eAFu4MFlaFI8Ei6eSludcsP2gZe0g==
=E9vx
-----END PGP SIGNATURE-----

#1109122#15
Date:
2025-08-29 16:03:12 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libxml2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1109122@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aron Xu <aron@debian.org> (supplier of updated libxml2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 25 Aug 2025 19:30:10 +0800
Source: libxml2
Architecture: source
Version: 2.9.14+dfsg-1.3~deb12u4
Distribution: bookworm-security
Urgency: high
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Aron Xu <aron@debian.org>
Closes: 1109122
Changes:
 libxml2 (2.9.14+dfsg-1.3~deb12u4) bookworm-security; urgency=high
 .
   * CVE-2025-7425: heap-use-after-free in xmlFreeID caused by `atype`
     corruption (Closes: #1109122)
Checksums-Sha1:
 80fb2ce26b06546782096a41f005995db8b62bdb 2610 libxml2_2.9.14+dfsg-1.3~deb12u4.dsc
 7d2e24cfb589e210f39cdb931bc5b92901b41aae 47500 libxml2_2.9.14+dfsg-1.3~deb12u4.debian.tar.xz
 4d612eefe67ad9f8ac4c6afee72f3f583b36c90b 5253 libxml2_2.9.14+dfsg-1.3~deb12u4_source.buildinfo
Checksums-Sha256:
 de59e0146715a6edb188729823fe13a597b2b9968c69f7e9e32b4c7ef2ad06e1 2610 libxml2_2.9.14+dfsg-1.3~deb12u4.dsc
 8c2f4b1b03579a3010c4135e57c7754544bf8085960537532faaa0feb0f2930b 47500 libxml2_2.9.14+dfsg-1.3~deb12u4.debian.tar.xz
 9200c75c615988ee4240ee12aa0b245a6f3c89c15896e1ada78fb0f85e1330af 5253 libxml2_2.9.14+dfsg-1.3~deb12u4_source.buildinfo
Files:
 a698c4e092a04feff907da03ce9607ee 2610 libs optional libxml2_2.9.14+dfsg-1.3~deb12u4.dsc
 6de00eaa645f857fe82e99ed09cbe05a 47500 libs optional libxml2_2.9.14+dfsg-1.3~deb12u4.debian.tar.xz
 d2304bb4d4a32450169d24bd48c5229a 5253 libs optional libxml2_2.9.14+dfsg-1.3~deb12u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEBLHAyuu1xqoC2aJ5NP8o68vMTMgFAmisSpoACgkQNP8o68vM
TMg/EAf+JnrWJZ6P6dCJG+mRQjURLZGmNCMtQ+esFOCwNhti6Mx5nmDtBfFDB2mY
VuiCd6/xYLwRSOh1HHfwNFEE4+V7YXtgJRF8Jb9SoYHtmMq/gl/yaa2oSIv8YhnK
auaiwGK2VcAEvuuMdjf5+qqEQG8qhcWysHPho4XDyUAbTY1pHSObBn+ojvcWYCIo
r0PMy1rXgkYYUUqcuD0xz0SNX7OMQ6m20Fnl9edpTeL31b34R+bogLWkfzV+1aJ8
ecOyLNycfzCp5tt9YIDA1y7ENO5EUrHn4ohT3n1swTxi0UawosRFV4KPmk6Rzo9y
VI0UaPyufrI3m+t9qpMPWQM/x6Smrw==
=gRtm
-----END PGP SIGNATURE-----

#1109122#20
Date:
2025-10-15 01:19:06 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libxml2.9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1109122@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated libxml2.9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 12 Oct 2025 02:04:59 +0200
Source: libxml2.9
Architecture: source
Version: 2.12.7+dfsg+really2.9.14-2.3
Distribution: unstable
Urgency: medium
Maintainer: Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 1109122
Changes:
 libxml2.9 (2.12.7+dfsg+really2.9.14-2.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Merge changes from libxml2/2.12.7+dfsg+really2.9.14-2.1+deb13u2:
     + Mitigate CVE-2025-7425/libxslt: Heap-use-after-free in xmlFreeID()
       caused by `atype` corruption. (Closes: #1109122)
     + Fix CVE-2025-9714: Stack overflow vulnerability via crafted expressions
       due to uncontrolled recursion in in XPath evaluation.
   * Fix unit tests for CVE-2025-49794 and -49796.
Checksums-Sha1:
 fef3c5402826ee0d6c041840ce0ff6ea891f5963 2972 libxml2.9_2.12.7+dfsg+really2.9.14-2.3.dsc
 a6998c2534672414709b48d5f04be675e94ad5c6 49500 libxml2.9_2.12.7+dfsg+really2.9.14-2.3.debian.tar.xz
 7639f91c3876795ce65c7374099bcc867c41ca34 8447 libxml2.9_2.12.7+dfsg+really2.9.14-2.3_amd64.buildinfo
Checksums-Sha256:
 a7eadfadecd2bd4c7251e29b38e37ea7f3e6a9945d36dc64dd443b239fb0b8e5 2972 libxml2.9_2.12.7+dfsg+really2.9.14-2.3.dsc
 2f7c3d00f31d2a4ef691d324da2ccb8808eb09735b845f1d3da87da1cc2fb839 49500 libxml2.9_2.12.7+dfsg+really2.9.14-2.3.debian.tar.xz
 e69cccc8dc25ff11e6b914794d93b473ba8cc1b448ebb8eac52fe4517039a57b 8447 libxml2.9_2.12.7+dfsg+really2.9.14-2.3_amd64.buildinfo
Files:
 78e9359d17ff678ee7b3dd946e3ecec5 2972 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.3.dsc
 5f9f0e6a4c5d5eb787fed1dcdaadd5d5 49500 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.3.debian.tar.xz
 35e2e0a1c6cd00c769ae3f4f6c3ec8ff 8447 libs optional libxml2.9_2.12.7+dfsg+really2.9.14-2.3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmjq+HQACgkQ05pJnDwh
pVJ0Wg//a5zDyVRDcPhRVRZyz9GVsPhFdUTFCrzLDgWYRE+6aCgkGGMRR1slaVqY
EQQlTowdzhpJiOM/BsfFMO7cJ78r0+NAUhgWV9qD6BS2G0qh65h63wKmNvyk1Xrg
d3YA0qeaJyMQbbjCm9YdvB+dUiI5pcqsk52DgrmwlVxBkIgty2honRP6ORKiM83j
+7i4u/hb150A4WqumEW1ZiovCaEnJxEsHyAzcuFIsow6acsXVehKYiaKE8pafjgj
TEU6Z2Y0pIUT0ceDPd7iQggCMEiDnUQOCRsFSTxHCgUfky4ThvvZtd141JaEfqD0
wE0YgADISMo6hQlHczqJRSjcCHVp7N0lhPoWAor+V9MBwFgVBzjbY7vRjfjpZ/zx
qk8HnQAG10JG/gNYZAVyZa7FqIp9uZmi8UiwcyR/FVE5ywdyb76xqrB1BQpQ03hc
Em1b/6eMCayOjfEzrr3yV0GXSGQKANxKLzI14XgmJGLI6quAnBozUJYVoZv9kD3X
Pb4D8jMpHEn9p8WKqtPkbfr7tLmzKy0X9vskkkUI9yuoDEalBqS5e3G9MEJaLqPG
niCGNAeAAVaM75YSwUpc13LCMA91SUuP0fSKpb8nlOV7TAljiQ8+/Edy1xx8qvIY
wbjd9hYKXWgke+LsaNgOfMkHtBi7oC1Pc1fLD0HnOeEvMmbLEDo=
=q7lq
-----END PGP SIGNATURE-----