CVE-2025-7425

Description

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

How to fix CVE-2025-7425

To remediate CVE-2025-7425, upgrade the affected package to a fixed version below.

• —upgrade to 1.8.0 or later
• —upgrade to 1.8.0 or later
• —upgrade to 1.8.0 or later
• —upgrade to 2.9.14+dfsg-1.3~deb12u4 or later
• —no fix listed

Is CVE-2025-7425 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 1.8.0, >= 1.9.0, < 8.0.481
• from 0, < 1.8.0, >= 1.9.0, < 8.0.481
• from 0, < 1.8.0, >= 1.9.0, < 8.0.481
• from 0, < 2.9.14+dfsg-1.3~deb12u4
• from 0

CVSS scores

References (45)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-7425
• WEBaccess.redhat.com/errata/RHBA-2025:12345
• WEBaccess.redhat.com/errata/RHSA-2025:12447
• WEBaccess.redhat.com/errata/RHSA-2025:12450
• WEB