libxslt: type confusion in libxslt library (CVE-2025-7424) #shorts
Summary
Welcome to today’s security podcast. We’re discussing CVE-2025-7424, a newly disclosed vulnerability in the libxslt library. This flaw can be triggered during XML stylesheet transformations and may allow an attacker to crash applications or corrupt memory, potentially causing denial of service or unexpected behavior.
Product details
The issue affects the libxslt library as packaged in multiple distributions: Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, as well as mingw-libxslt on Fedora 41 and Fedora 42. SUSE has also issued an advisory covering its libxslt packages.
Vulnerability type summary
CVE-2025-7424 is categorized as a type confusion vulnerability, specifically an Access of Resource Using Incompatible Type. Internally, the same memory field—psvi—is used for both stylesheet and input data, leading to ambiguous typing during runtime.
Details of the vulnerability
During an XML transformation, libxslt stores type information in a shared psvi field. An attacker can craft a stylesheet or input document that manipulates psvi so that libxslt misinterprets data structures. This can crash the application, corrupt memory buffers, or trigger other unpredictable behavior. While there’s no known remote, unauthenticated exploit in the wild, locally supplied XML files or malicious data in a processing pipeline could be weaponized to cause denial of service.
Conclusion
Administrators and developers using libxslt should update to the patched versions provided by their distribution vendors immediately. Fedora users should apply the mingw-libxslt updates for Fedora 41 and 42; Red Hat customers should install the errata for RHEL 6–10 and OCP 4; SUSE users should follow the advisory for their libxslt packages. Keeping XML processing libraries up to date helps prevent crashes and memory corruption in production environments.
Watch the full video on YouTube: CVE-2025-7424
Remediation and exploitation details
This chain involves the following actors
- Malicious Agent: Attacker exploiting type confusion in libxslt
- System Administrator: Responsible for deploying patches and configuring defenses
This following systems are involved
- libxslt (Performs XML Stylesheet Transformations): Vulnerable XML processing library
- XML Transformation Service (Applies XSLT rules to user-provided XML documents): Dependent application invoking libxslt
Attack entry point
- Stylesheet Upload Interface: Endpoint that accepts user-supplied XSLT stylesheets and XML inputs for transformation
Remediation actions
Exploitation actions
Crafted XML/XSLT data reusing a shared memory field for different object types
- 1. Examine libxslt source to identify the psvi field shared by stylesheet and input nodes.
- 2. Build an XSLT stylesheet that defines elements whose psvi metadata overlaps and misaligns with input data structures.
- 3. Submit the malicious stylesheet together with benign XML input to the transformation service.
- 4. libxslt reuses the psvi field for both types, misinterprets metadata, and writes incorrect type pointers.
- 5. During transformation, mismatched type data causes invalid memory reads or writes, leading to a crash or memory corruption.
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://access.redhat.com/security/cve/CVE-2025-7424
- https://bugzilla.redhat.com/show_bug.cgi?id=2379228
- [2025-08-05] Fedora 41 issues an alert for a mingw-libxslt vulnerability related to CVE-2025-7424 and recommends applying a proposed fix.
- [2025-08-05] Fedora 42 releases a critical security update for mingw-libxslt to address a type confusion vulnerability (CVE-2025-7424).
- [2025-08-20] SUSE releases an advisory for a type confusion vulnerability in libxslt, identified as CVE-2025-7424.