CVE-2025-24855
📋 TL;DR
CVE-2025-24855 is a use-after-free vulnerability in libxslt's numbers.c that occurs during nested XPath evaluations when an XPath context node is modified but not properly restored. This could allow attackers to execute arbitrary code or cause denial of service. Affected systems include any software using vulnerable versions of libxslt for XML/XSLT processing.
💻 Affected Systems
- libxslt
- Applications using libxslt for XML/XSLT processing
- GNOME-related software
- Debian packages with libxslt
📦 What is this software?
Libxslt by Xmlsoft
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if exploited in a vulnerable application processing untrusted XML/XSLT content.
Likely Case
Application crash or denial of service when processing malicious XML/XSLT content, potentially disrupting XML processing services.
If Mitigated
Limited impact if proper input validation and sandboxing prevent malicious XML/XSLT content from reaching vulnerable components.
🎯 Exploit Status
Exploitation requires the ability to supply malicious XML/XSLT content to a vulnerable application. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libxslt 1.1.43 and later
Vendor Advisory: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
Restart Required: No
Instructions:
1. Update libxslt to version 1.1.43 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade libxslt1.1. 3. For source installations: download from https://gitlab.gnome.org/GNOME/libxslt, compile and install. 4. Rebuild any applications statically linked to libxslt.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict validation and sanitization of XML/XSLT input to prevent malicious content from reaching vulnerable libxslt functions.
Disable XSLT Processing
allIf XSLT processing is not required, disable it in applications to prevent exploitation vectors.
🧯 If You Can't Patch
- Implement network segmentation to isolate systems using vulnerable libxslt versions from untrusted networks.
- Deploy web application firewalls (WAF) with XML/XSLT content filtering rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Check libxslt version: xsltproc --version | grep 'libxslt'. If version is earlier than 1.1.43, system is vulnerable.Check Version:
xsltproc --version | grep 'libxslt'Verify Fix Applied:
After patching, verify version is 1.1.43 or later: xsltproc --version | grep 'libxslt'.📡 Detection & Monitoring
Log Indicators:
- Application crashes or abnormal termination when processing XML/XSLT files
- Memory access violation errors in application logs
- Increased error rates in XML processing services
Network Indicators:
- Unusual XML/XSLT file uploads to web applications
- Spikes in XML processing requests followed by service degradation
SIEM Query:
source="application_logs" AND ("segmentation fault" OR "memory violation" OR "libxslt") AND "xml"