CVE-2025-24855 Overview
CVE-2025-24855 is a use-after-free vulnerability in libxslt, the XSLT processing library developed by xmlsoft. The vulnerability exists in numbers.c and affects versions prior to 1.1.43. During nested XPath evaluations, an XPath context node can be modified but is never properly restored, leading to a use-after-free condition. This issue is related to several functions including xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.
Critical Impact
A local attacker with low privileges can potentially achieve arbitrary code execution, compromise data confidentiality and integrity, or cause application crashes through exploitation of this memory corruption vulnerability.
Affected Products
- xmlsoft libxslt versions prior to 1.1.43
Discovery Timeline
- 2025-03-14 - CVE-2025-24855 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-24855
Vulnerability Analysis
This use-after-free vulnerability (CWE-416) occurs within the XPath evaluation mechanism of libxslt. When processing nested XPath expressions, the library modifies the XPath context node during evaluation but fails to restore it to its original state afterward. This improper memory management creates a dangling pointer situation where the application may reference memory that has already been freed.
The vulnerability affects core XSLT transformation functions that handle numeric formatting and predicate evaluation. When a malicious XSLT stylesheet triggers specific nested XPath evaluation patterns, the corrupted context can lead to memory access violations, potentially allowing an attacker to execute arbitrary code or cause denial of service conditions.
Root Cause
The root cause lies in improper memory lifecycle management within libxslt's XPath evaluation routines. Specifically, when nested XPath evaluations occur, the context node is modified to facilitate the nested evaluation but the original context state is never properly saved and restored. This violates the expected memory safety invariants and results in the use of freed memory when subsequent operations attempt to access the original context.
The affected functions (xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal) each interact with the XPath context in ways that can trigger this unsafe behavior when processing specially crafted input.
Attack Vector
The attack vector is local, requiring an attacker to have local access to the system with low-level privileges. The attacker must be able to provide a malicious XSLT stylesheet or XML document to an application that uses the vulnerable libxslt library for processing.
The vulnerability can be triggered when an application processes XSLT transformations containing nested XPath expressions that manipulate the context node in specific patterns. No user interaction is required once the malicious input is processed by the vulnerable library.
Detection Methods for CVE-2025-24855
Indicators of Compromise
- Unexpected crashes or segmentation faults in applications using libxslt during XSLT transformation operations
- Memory corruption errors logged by applications performing XML/XSLT processing
- Abnormal memory access patterns detected by memory sanitizers (AddressSanitizer, Valgrind)
- Presence of suspicious XSLT files with deeply nested XPath expressions on the system
Detection Strategies
- Deploy memory safety tools (AddressSanitizer, Valgrind) in development and testing environments to detect use-after-free conditions
- Monitor application logs for crashes related to libxslt functions, particularly xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal
- Implement file integrity monitoring for XSLT stylesheets in production environments
- Use software composition analysis (SCA) tools to identify vulnerable libxslt versions in your software supply chain
Monitoring Recommendations
- Enable crash dump collection for applications that process XSLT transformations
- Implement logging for XSLT processing operations to track the source of potentially malicious input
- Monitor for unusual patterns in XML/XSLT processing workloads that could indicate exploitation attempts
- Set up alerts for segmentation faults or memory corruption errors in libxslt-dependent applications
How to Mitigate CVE-2025-24855
Immediate Actions Required
- Update libxslt to version 1.1.43 or later immediately
- Audit all systems and applications to identify instances of vulnerable libxslt versions
- Review software dependencies for applications that bundle or statically link libxslt
- Restrict processing of XSLT stylesheets from untrusted sources until patches are applied
Patch Information
The vulnerability has been addressed in libxslt version 1.1.43 and later. Organizations should prioritize upgrading to the patched version. Detailed information about the fix can be found in the GNOME libxslt Issue #128 tracker. Additional distribution-specific guidance is available via the Debian LTS Announcement.
Workarounds
- Implement input validation to reject XSLT stylesheets from untrusted sources
- Use application sandboxing to limit the impact of potential exploitation
- Consider disabling XSLT transformation functionality if not required for business operations
- Deploy memory protection mechanisms (ASLR, DEP) to make exploitation more difficult
# Check installed libxslt version
xsltproc --version
# For Debian/Ubuntu systems, update libxslt
sudo apt-get update && sudo apt-get install libxslt1.1
# For RHEL/CentOS systems, update libxslt
sudo yum update libxslt
# Verify the updated version
xsltproc --version | grep "libxslt"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
