CVE-2025-9714

CWE-674 — Uncontrolled Recursion CWE-6067 documents7 sources

Severity

5.5MEDIUM

EPSS

0.0%

top 99.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libxml2 Libxml2 Xmlsoft Libxml2

Timeline

PublishedSep 10

Description

Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.5 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5libxml2/libxml2< 2.10.0+7

▶NVDxmlsoft/libxml2< 2.10.0

▶Debianlibxml2< 2.9.10+dfsg-6.7+deb11u9+3

Patches

Patch: gitlab.gnome.org ↗

🔴Vulnerability Details

OSV

CVE-2025-9714: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2↗2025-09-10

▶

GHSA

GHSA-fmj5-rvmp-845r: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2↗2025-09-10

▶

CVEList

Stack overflow in libxml2↗2025-09-10

▶

📋Vendor Advisories

Ubuntu

libxml2 vulnerability↗2025-09-10

▶

Red Hat

libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c↗2025-09-02

▶

Debian

CVE-2025-9714: libxml2 - Uncontrolled recursion in XPath evaluation in libxml2 up to and including versio...↗2025

▶