CVE-2025-29699 – NetSurf 3.11 contains a use-after-free vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-29699?

CVE-2025-29699 has a CVSS score of 6.5 (MEDIUM). NetSurf 3.11 contains a use-after-free vulnerability in the dom_node_set_text_content function that could allow memory corruption. This affects users running NetSurf browser version 3.11. Attackers could potentially exploit this to execute arbitrary code or crash the browser.

📋 TL;DR

NetSurf 3.11 contains a use-after-free vulnerability in the dom_node_set_text_content function that could allow memory corruption. This affects users running NetSurf browser version 3.11. Attackers could potentially exploit this to execute arbitrary code or crash the browser.

💻 Affected Systems

Products:

NetSurf

Versions: 3.11

Operating Systems: Linux, BSD, RISC OS, AmigaOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects NetSurf browser version 3.11. Other versions and browsers are not affected.

📦 What is this software?

Netsurf by Netsurf Browser

View all CVEs affecting Netsurf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities or running with elevated privileges.

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption that could be leveraged for information disclosure.

🟢

If Mitigated

Browser crash with no data loss if running with standard user privileges and proper sandboxing.

🌐 Internet-Facing: MEDIUM - Requires user interaction (visiting malicious website) but no authentication needed.

🏢 Internal Only: LOW - Primarily affects client-side browser, not server infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof of concept available in GitHub repository. Exploitation requires user to visit malicious website.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.12 or later

Vendor Advisory: https://www.netsurf-browser.org/news/releases/3.12/

Restart Required: Yes

Instructions:

1. Download NetSurf 3.12 or later from official website. 2. Uninstall current version. 3. Install updated version. 4. Restart browser.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution in NetSurf

Edit netsurf preferences: set 'javascript.enable' to false

Use alternative browser

all

Temporarily switch to different browser until patch is applied

🧯 If You Can't Patch

Restrict browser to trusted websites only using URL filtering
Run browser with reduced privileges and in sandboxed environment

🔍 How to Verify

Check if Vulnerable:

Check NetSurf version: netsurf --version | grep 'NetSurf'

Check Version:

netsurf --version | grep 'NetSurf'

Verify Fix Applied:

Verify version is 3.12 or higher: netsurf --version

📡 Detection & Monitoring

Log Indicators:

Browser crash logs with memory access violations
Segmentation fault errors in system logs

Network Indicators:

Unusual outbound connections after visiting websites
Multiple rapid browser crashes

SIEM Query:

process_name:"netsurf" AND (event_type:"crash" OR error:"segmentation fault")

📊 Metadata

CVE ID: CVE-2025-29699

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-416

EPSS Score: 0.08% exploit probability (22.4th percentile)

Published: November 3, 2025

Last Updated: November 5, 2025

🔗 References

https://github.com/Fysac/netsurf-disclosure/tree/main/CVE-2025-29699 Exploit,Third Party Advisory
https://www.netsurf-browser.org/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29699, you might also want to check these: