CVE-2025-6498 — Missing Release of Memory after Effective Lifetime in Tidy-html5

CWE-401 — Missing Release of Memory after Effective Lifetime CWE-404 — Improper Resource Shutdown or Release5 documents5 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 67.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Htacg Tidy-html5 Htacg Tidy Debian Tidy-html5 +2 more

Timeline

PublishedJun 23

Description

A vulnerability classified as problematic has been found in HTACG tidy-html5 5.8.0. Affected is the function defaultAlloc of the file src/alloc.c. The manipulation leads to memory leak. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages5 packages

▶CVEListV5htacg/tidy-html55.8.0

▶NVDhtacg/tidy5.8.0

▶debiandebian/tidy-html5

▶msrcmsrc/azl3_tidy_5.8.0-6_on_azure_linux_3.0

▶msrcmsrc/cbl2_tidy_5.8.0-6_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

CVE-2025-6498: A vulnerability classified as problematic has been found in HTACG tidy-html5 5↗2025-06-23

▶

GHSA

GHSA-449v-6j3r-mxhj: A vulnerability classified as problematic has been found in HTACG tidy-html5 5↗2025-06-23

▶

📋Vendor Advisories

Microsoft

HTACG tidy-html5 alloc.c defaultAlloc memory leak↗2025-06-10

▶

Debian

CVE-2025-6498: tidy-html5 - A vulnerability classified as problematic has been found in HTACG tidy-html5 5.8...↗2025

▶