CVE-2025-24855: Use-After-Free Vulnerability in numbers.c of libxslt Before 1.1.43

A newly discovered use-after-free vulnerability (CVE-2025-24855) has been found in libxslt, a widely used library for performing XSL transformations on XML documents. This vulnerability exists in the file numbers.c and affects all versions prior to 1.1.43. In this post, we will discuss the details of this vulnerability, how it can be exploited, and provide code snippets and references for further understanding.

xsltComputeSortResultInternal

The root cause of this vulnerability is the incorrect handling of nested XPath evaluations. During the evaluation process, an XPath context node can be modified multiple times but is not properly restored, resulting in memory being accessed after it has been freed.

Here's a code snippet demonstrating the improper handling of the XPath context node

// ... code ...
xmlXPathContextPtr xpathCtxt;
// ...
xpathCtxt->node = xmlDocGetRootElement(proxy->doc);
// ... code ...
if (xsltEvalXPathStringNs(cache, xpathCtxt) == )
{
    xsltTransformError(ctxt, NULL, NULL,
                       "xsltComputeSortResultInternal: "
                       "evaluation against proxy node failed\n");
    return;
}
// ... code ...

Exploitation

This use-after-free vulnerability can be exploited by an attacker in various ways. For example, they might craft a specially-designed XSLT stylesheet that triggers the vulnerable code paths, leading to a crash or potential remote code execution. This depends on how the XSLT processing is implemented in an application using libxslt.

Mitigation

To mitigate this vulnerability, users are advised to update their libxslt library to version 1.1.43 or later, which contains the necessary security patches. You can download the updated version from the official libxslt repository:

- libxslt GitHub Repository - download the latest source code and compile it.
- libxslt Release Page - download the latest pre-compiled binaries, if available for your platform.

In addition to updating the library, developers using libxslt should review their code and verify that it does not allow untrusted stylesheets or XML documents to be processed, as this poses a risk for exploitation.

Original References

For more details on this vulnerability, you can refer to the following original references and discussions:

- CVE-2025-24855 Official Entry - describes the vulnerability and affected versions.
- libxslt GitHub Repository - the official repository for libxslt, where you can find the latest source code and security patches.
- libxslt Release Page – contains information about the latest releases and updates.

Conclusion

As a widely used library for XML transformations, it's essential to keep libxslt up-to-date and follow secure coding practices to prevent exploitation. We recommend updating to version 1.1.43 or later to address the use-after-free vulnerability in numbers.c and reviewing your implementation for any other potential security issues.

Timeline

Published on: 03/14/2025 02:15:15 UTC