CVE-2024-25062 – A use-after-free vulnerability in libxml2's XML... (How to Fix)

Q: What is the severity of CVE-2024-25062?

CVE-2024-25062 has a CVSS score of 7.5 (HIGH). A use-after-free vulnerability in libxml2's XML Reader interface when processing crafted XML documents with DTD validation and XInclude expansion enabled. This affects applications using vulnerable libxml2 versions for XML parsing, potentially allowing memory corruption and arbitrary code execution.

📋 TL;DR

A use-after-free vulnerability in libxml2's XML Reader interface when processing crafted XML documents with DTD validation and XInclude expansion enabled. This affects applications using vulnerable libxml2 versions for XML parsing, potentially allowing memory corruption and arbitrary code execution.

💻 Affected Systems

Products:

libxml2
Any software using libxml2 library

Versions: libxml2 before 2.11.7, 2.12.x before 2.12.5

Operating Systems: Linux, Unix-like systems, Any OS using libxml2

Default Config Vulnerable: ✅ No

Notes: Requires XML Reader interface with both DTD validation AND XInclude expansion enabled simultaneously.

📦 What is this software?

Libxml2 by Xmlsoft

View all CVEs affecting Libxml2 →

Libxml2 by Xmlsoft

View all CVEs affecting Libxml2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Application crash (denial of service) or memory corruption leading to unstable behavior.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific XML parsing configuration and crafted malicious XML input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libxml2 2.11.7, 2.12.5

Vendor Advisory: https://gitlab.gnome.org/GNOME/libxml2/-/issues/604

Restart Required: Yes

Instructions:

1. Update libxml2 package to version 2.11.7 or 2.12.5 or later. 2. Restart affected services/applications. 3. Recompile any statically linked applications with updated library.

🔧 Temporary Workarounds

Disable vulnerable features

all

Disable either DTD validation or XInclude expansion in XML Reader configuration

Set XML_PARSE_NOENT and XML_PARSE_DTDVALID parsing options appropriately in application code

🧯 If You Can't Patch

Implement strict XML input validation and sanitization
Run vulnerable applications in sandboxed/containerized environments with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check libxml2 version: xml2-config --version or dpkg -l libxml2

Check Version:

xml2-config --version || dpkg -l libxml2 || rpm -q libxml2

Verify Fix Applied:

Verify version is 2.11.7+ or 2.12.5+ and test XML parsing with vulnerable configurations

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory corruption errors
Unexpected XML parsing failures

Network Indicators:

Unusual XML payloads targeting XML parsing endpoints

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "use-after-free" OR "xmlValidatePopElement")

📊 Metadata

CVE ID: CVE-2024-25062

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: February 4, 2024

Last Updated: November 3, 2025

🔗 References

https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 Exploit,Issue Tracking
https://gitlab.gnome.org/GNOME/libxml2/-/tags Release Notes
https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 Exploit,Issue Tracking
https://gitlab.gnome.org/GNOME/libxml2/-/tags Release Notes
https://lists.debian.org/debian-lts-announce/2025/02/msg00028.html
https://security.netapp.com/advisory/ntap-20241018-0009/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25062, you might also want to check these: