cbcvebase.
CVE-2025-9714
published 2025-09-10

CVE-2025-9714: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted…

PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.14%
4.1th percentile
Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.

Affected

14 ranges
VendorProductVersion rangeFixed in
debianlibxml2< libxml2 2.9.14+dfsg-1.3~deb12u5 (bookworm)libxml2 2.9.14+dfsg-1.3~deb12u5 (bookworm)
libxml2libxml2< 2.10.02.10.0
libxml2libxml2< 2.12.7+dfsg+really2.9.14-0.4ubuntu0.32.12.7+dfsg+really2.9.14-0.4ubuntu0.3
libxml2libxml2< 2.9.14+dfsg-1.3ubuntu3.52.9.14+dfsg-1.3ubuntu3.5
libxml2libxml2< 2.9.13+dfsg-1ubuntu0.92.9.13+dfsg-1ubuntu0.9
libxml2libxml2< 2.9.10+dfsg-5ubuntu0.20.04.10+esm22.9.10+dfsg-5ubuntu0.20.04.10+esm2
libxml2libxml2< 2.9.4+dfsg1-6.1ubuntu1.9+esm52.9.4+dfsg1-6.1ubuntu1.9+esm5
libxml2libxml2< 2.9.3+dfsg1-1ubuntu0.7+esm102.9.3+dfsg1-1ubuntu0.7+esm10
libxml2libxml2< 2.9.1+dfsg1-3ubuntu4.13+esm92.9.1+dfsg1-3ubuntu4.13+esm9
xmlsoftlibxml2< 2.10.02.10.0
xmlsoftlibxml2>= 0 < 2.9.10+dfsg-6.7+deb11u92.9.10+dfsg-6.7+deb11u9
xmlsoftlibxml2>= 0 < 2.9.14+dfsg-1.3~deb12u52.9.14+dfsg-1.3~deb12u5
xmlsoftlibxml2>= 0 < 2.12.7+dfsg+really2.9.14-2.1+deb13u22.12.7+dfsg+really2.9.14-2.1+deb13u2
xmlsoftlibxml2>= 0 < 2.14.5+dfsg-0.12.14.5+dfsg-0.1

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian6.2MEDIUM
vendor_redhat6.2MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.