Login Sign Up

CVE-2025-49794

9.1 CRITICAL

📋 TL;DR

A use-after-free vulnerability in libxml2 allows attackers to crash applications or cause undefined behavior by providing malicious XML documents with specific XPath schematron elements. This affects any software using vulnerable libxml2 versions for XML parsing, including web servers, document processors, and XML-based services.

💻 Affected Systems

Products:
  • libxml2
  • Applications using libxml2 library
Versions: libxml2 versions before 2.13.6
Operating Systems: Linux, Unix-like systems, Windows (if using libxml2)
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using libxml2 to parse XML with XPath schematron support is vulnerable by default when processing untrusted input.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though this requires specific memory layout conditions and exploit chaining.

🟠

Likely Case

Application crashes causing denial of service, potentially leading to data loss or service disruption.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, though crashes may still occur.

🌐 Internet-Facing: HIGH - Many internet-facing services parse XML input from untrusted sources.
🏢 Internal Only: MEDIUM - Internal applications processing XML may be vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific XML with schematron elements, but no public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libxml2 2.13.6 or later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:10630

Restart Required: Yes

Instructions:

1. Update libxml2 package to version 2.13.6 or later. 2. Restart affected services. 3. For Red Hat systems: yum update libxml2 && systemctl restart affected-services

🔧 Temporary Workarounds

Disable XML external entity processing

all

Configure libxml2 to disable external entity processing to reduce attack surface

xmlSetExternalEntityLoader(NULL)
Set XML_PARSE_NOENT flag to 0 in parsing functions

Input validation and sanitization

all

Validate and sanitize XML input before processing with libxml2

🧯 If You Can't Patch

  • Implement strict input validation and XML schema validation before libxml2 processing
  • Use application-level firewalls or WAFs to block malicious XML patterns

🔍 How to Verify

Check if Vulnerable:

Check libxml2 version: xml2-config --version or rpm -q libxml2

Check Version:

xml2-config --version || rpm -q libxml2 || dpkg -l libxml2

Verify Fix Applied:

Verify version is 2.13.6 or later and test with known malicious XML samples

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Unexpected termination of XML processing services
  • Memory corruption errors in system logs

Network Indicators:

  • Unusually large or malformed XML payloads to XML endpoints
  • Repeated connection attempts to XML processing services

SIEM Query:

source="*xml*" AND (event="segmentation fault" OR event="crash" OR event="memory corruption")

📊 Metadata

CVE ID: CVE-2025-49794
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-825
EPSS Score: 0.07% exploit probability (21.6th percentile)
Published: June 16, 2025
Last Updated: January 22, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49794, you might also want to check these:

CVE-2024-23310 9.8

A use-after-free vulnerability in libbiosig's sopen_FAMOS_read function allows arbitrary code execut...

Same vulnerability type (CWE-825)
CVE-2023-20212 7.5

A memory management logic error in ClamAV's AutoIt module allows remote attackers to cause denial of...

Same vulnerability type (CWE-825)
CVE-2025-12119 6.8

This vulnerability in MongoDB C driver allows reading invalid memory when large options are passed t...

Same vulnerability type (CWE-825)