CVE-2025-8732

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

CVSS v3 3.3 LOW
CVSS v2.0 1.7 LOW

3.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 3.1 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://drive.google.com/file/d/1woIeYVcSQB_NwfEhaVnX6MedpWJ_nqWl/view?usp=drive_link
https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
https://gitlab.gnome.org/GNOME/libxml2/-/issues/958#note_2505853
https://vuldb.com/?ctiid.319228
https://vuldb.com/?id.319228
https://vuldb.com/?submit.622285
https://cert-portal.siemens.com/productcert/html/ssa-253495.html

Configurations

No configuration.

History

02 Jun 2026, 14:16

Type	Values Removed	Values Added
References		() https://cert-portal.siemens.com/productcert/html/ssa-253495.html -

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Se encontró una vulnerabilidad en libxml2 hasta la versión 2.14.5. Se ha declarado problemática. Esta vulnerabilidad afecta a la función xmlParseSGMLCatalog del componente xmlcatalog. La manipulación provoca recursión incontrolada. Es necesario atacar localmente. Se ha hecho público el exploit y puede que sea utilizado. La existencia real de esta vulnerabilidad aún se duda. El responsable del código explica que «el problema solo puede desencadenarse con catálogos SGML no confiables y no tiene ningún sentido usarlos. Dudo también que alguien siga utilizando catálogos SGML».

08 Aug 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-08 17:15

Updated : 2026-06-02 14:16

NVD link : CVE-2025-8732

Mitre link : CVE-2025-8732

CVE.ORG link : CVE-2025-8732

JSON object : View

Products Affected

No product.

CWE

CWE-404

Improper Resource Shutdown or Release

CWE-674

Uncontrolled Recursion

3.3 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7 /10

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2025-8732

3.3^/10

1.7^/10

Attach tags to `CVE-2025-8732`