CVE-2025-8732 LOW

Published: 2025-08-08 | Last Modified: 2026-06-02 | Status: Deferred

Description

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

Additional Descriptions (1)

Se encontró una vulnerabilidad en libxml2 hasta la versión 2.14.5. Se ha declarado problemática. Esta vulnerabilidad afecta a la función xmlParseSGMLCatalog del componente xmlcatalog. La manipulación provoca recursión incontrolada. Es necesario atacar localmente. Se ha hecho público el exploit y puede que sea utilizado. La existencia real de esta vulnerabilidad aún se duda. El responsable del código explica que «el problema solo puede desencadenarse con catálogos SGML no confiables y no tiene ningún sentido usarlos. Dudo también que alguien siga utilizando catálogos SGML».

CVSS Metrics

Base Score: 3.3 (LOW)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Attack Vector	LOCAL
Attack Complexity	LOW
Privileges Required	LOW
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	NONE
Integrity Impact	NONE
Availability Impact	LOW

Source: [email protected]

Type: Secondary

Exploitability Score: 1.8

Impact Score: 1.4

Base Score: 1.7 (LOW)

AV:L/AC:L/Au:S/C:N/I:N/A:P

Access Vector	LOCAL
Access Complexity	LOW
Authentication	SINGLE
Confidentiality Impact	NONE
Integrity Impact	NONE
Availability Impact	PARTIAL

Source: [email protected]

Type: Secondary

Exploitability Score: 3.1

Impact Score: 2.9

Base Score: 1.9 (LOW)

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector	LOCAL
Attack Complexity	LOW
Attack Requirements	NONE
Privileges Required	LOW
User Interaction	NONE
Vulnerability Confidentiality	NONE
Vulnerability Integrity	NONE
Vulnerability Availability	LOW
Subsequent Confidentiality	NONE
Subsequent Integrity	NONE
Subsequent Availability	NONE

Source: [email protected]

Type: Secondary

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-404 en CWE-674

References

https://drive.google.com/file/d/1woIeYVcSQB_NwfEhaVnX6MedpWJ_nqWl/view?usp=drive_link
Source: [email protected]
https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
Source: [email protected]
https://gitlab.gnome.org/GNOME/libxml2/-/issues/958#note_2505853
Source: [email protected]
https://vuldb.com/?ctiid.319228
Source: [email protected]
https://vuldb.com/?id.319228
Source: [email protected]
https://vuldb.com/?submit.622285
Source: [email protected]
https://cert-portal.siemens.com/productcert/html/ssa-253495.html
Source: 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e