CVE-2025-9714
published 2025-09-10CVE-2025-9714: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted…
PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.14%
4.1th percentile
Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libxml2 | < libxml2 2.9.14+dfsg-1.3~deb12u5 (bookworm) | libxml2 2.9.14+dfsg-1.3~deb12u5 (bookworm) |
| libxml2 | libxml2 | < 2.10.0 | 2.10.0 |
| libxml2 | libxml2 | < 2.12.7+dfsg+really2.9.14-0.4ubuntu0.3 | 2.12.7+dfsg+really2.9.14-0.4ubuntu0.3 |
| libxml2 | libxml2 | < 2.9.14+dfsg-1.3ubuntu3.5 | 2.9.14+dfsg-1.3ubuntu3.5 |
| libxml2 | libxml2 | < 2.9.13+dfsg-1ubuntu0.9 | 2.9.13+dfsg-1ubuntu0.9 |
| libxml2 | libxml2 | < 2.9.10+dfsg-5ubuntu0.20.04.10+esm2 | 2.9.10+dfsg-5ubuntu0.20.04.10+esm2 |
| libxml2 | libxml2 | < 2.9.4+dfsg1-6.1ubuntu1.9+esm5 | 2.9.4+dfsg1-6.1ubuntu1.9+esm5 |
| libxml2 | libxml2 | < 2.9.3+dfsg1-1ubuntu0.7+esm10 | 2.9.3+dfsg1-1ubuntu0.7+esm10 |
| libxml2 | libxml2 | < 2.9.1+dfsg1-3ubuntu4.13+esm9 | 2.9.1+dfsg1-3ubuntu4.13+esm9 |
| xmlsoft | libxml2 | < 2.10.0 | 2.10.0 |
| xmlsoft | libxml2 | >= 0 < 2.9.10+dfsg-6.7+deb11u9 | 2.9.10+dfsg-6.7+deb11u9 |
| xmlsoft | libxml2 | >= 0 < 2.9.14+dfsg-1.3~deb12u5 | 2.9.14+dfsg-1.3~deb12u5 |
| xmlsoft | libxml2 | >= 0 < 2.12.7+dfsg+really2.9.14-2.1+deb13u2 | 2.12.7+dfsg+really2.9.14-2.1+deb13u2 |
| xmlsoft | libxml2 | >= 0 < 2.14.5+dfsg-0.1 | 2.14.5+dfsg-0.1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv5.5MEDIUM
vendor_debian6.2MEDIUM
vendor_redhat6.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2025-9714: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2
osv·2025-09-10·CVSS 5.5
CVE-2025-9714 [MEDIUM] CVE-2025-9714: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2
Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.
GHSA
GHSA-fmj5-rvmp-845r: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2
ghsa_unreviewed·2025-09-10
CVE-2025-9714 [MEDIUM] CWE-674 GHSA-fmj5-rvmp-845r: Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2
Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.
Ubuntu
libxml2 vulnerability
vendor_ubuntu·2025-09-10
CVE-2025-9714 libxml2 vulnerability
Title: libxml2 vulnerability
Summary: libxml2 could be made to crash if it received specially crafted
input.
Nikita Sveshnikov discovered that libxml2 incorrectly handled recursion
when processing XPath expressions. An attacker could possibly use this
issue to cause a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c
vendor_redhat·2025-09-02·CVSS 6.2
CVE-2025-9714 [MEDIUM] CWE-606 libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c
libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c
Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.
A flaw was found in libxstl/libxml2. The 'exsltDynMapFunction' function in libexslt/dynamic.c does not contain a recursion depth check, wh
Debian
CVE-2025-9714: libxml2 - Uncontrolled recursion in XPath evaluation in libxml2 up to and including versio...
vendor_debian·2025·CVSS 6.2
CVE-2025-9714 [MEDIUM] CVE-2025-9714: libxml2 - Uncontrolled recursion in XPath evaluation in libxml2 up to and including versio...
Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.
Scope: local
bookworm: resolved (fixed in 2.9.14+dfsg-1.3~deb12u5)
bullseye: resolved (fixed in 2.9.10+dfsg-6.7+deb11u9)
forky: resolved (fixed in 2.14.5+dfsg-0.1)
sid: resolved (fixed in 2.14.5+dfsg-0.1)
trixie: resolved (fixed in
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-9714 mingw-libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c [fedora-42]
bugzilla·2025-11-27·CVSS 5.5
CVE-2025-9714 [MEDIUM] CVE-2025-9714 mingw-libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c [fedora-42]
CVE-2025-9714 mingw-libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora
Bugzilla
CVE-2025-9714 libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c
bugzilla·2025-09-02·CVSS 5.5
CVE-2025-9714 [MEDIUM] CVE-2025-9714 libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c
CVE-2025-9714 libxslt: libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c
A critical stack overflow vulnerability was discovered in the libxslt library when handling the dyn:map() function from the EXSLT extension. The vulnerability allows an attacker to cause a denial of service (DoS) via a specially crafted XSLT document containing the recursive dyn:map(., .) call.
The main reason of the vulnerability is that the exsltDynMapFunction function in libexslt/dynamic.c doesn’t contain a recursion depth check. When handling dyn:map(., .) where the second parameter contains a recursive call to the same function, infinite recursion occurs until the program stack is exhausted.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterpri
Bugzilla
CVE-2025-9714 libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c [fedora-42]
bugzilla·2025-09-02·CVSS 5.5
CVE-2025-9714 [MEDIUM] CVE-2025-9714 libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c [fedora-42]
CVE-2025-9714 libxml2: Inifinite recursion at exsltDynMapFunction function in libexslt/dynamic.c [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's pol
2025-09-10
Published