Fluid Attacks Database

Description

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	libxslt	=1.1.35-1.2 \|\| =1.1.35-2 \|\| =1.1.39-0exp1 \|\| =1.1.43-0.1 \|\| =1.1.43-0.2 \|\| =1.1.43-0.3 \|\| =1.1.43-0exp1 \|\| =1.1.45-0.1	-
rpm rhel8	libxml2	<0:2.9.7-21.el8_10.2	0:2.9.7-21.el8_10.2
rpm rhel8.4	libxml2	<0:2.9.7-9.el8_4.7	0:2.9.7-9.el8_4.7
rpm rhel10	libxslt	<0:1.1.39-8.el10_0	0:1.1.39-8.el10_0
rpm rhel7	libxml2	-	-
rpm rhel9	libxml2	<0:2.9.13-11.el9_6	0:2.9.13-11.el9_6
rpm rhel9.4	libxml2	<0:2.9.13-11.el9_4	0:2.9.13-11.el9_4
rpm rhel6	libxslt	-	-
rpm rhel10	libxml2	<0:2.12.5-8.el10_0	0:2.12.5-8.el10_0

Aliases

1. CVE-2025-74252. NVD-2025-74253. OSV-DEBIAN-2025-74254. OSV-2025-74255. SECURITY-TRACKER-CVE-2025-7425

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.