libxslt: use-after-free in libxslt key() function leading to heap corruption (CVE-2025-7425) #shorts

Summary

Today we’re talking about CVE-2025-7425, a critical memory corruption vulnerability in libxslt, the XSLT processing library used by libxml2. This flaw can lead to heap corruption or crashes when processing certain XSLT functions, and it has been addressed by major Linux distributors in July 2025.

Product details

libxslt is the XSLT engine that transforms XML documents according to stylesheet rules. It ships as part of libxml2 and is widely used on Oracle Linux, SUSE Linux Enterprise Server, Red Hat Enterprise Linux, and related platforms such as OpenShift Container Platform. Affected versions include libxslt releases before the July 2025 security updates.

Vulnerability type summary

This issue is classified as a use-after-free that can trigger heap corruption. In some reports it’s also described as a buffer overflow in the attribute-type handler of the key() function. Either way, improper memory management lets an attacker manipulate freed or overwritten data.

Details of the vulnerability

The problem lies in how libxslt updates internal attribute metadata—specifically the atype and flags fields—when constructing tree fragments for functions like key(). Under certain conditions, ID attributes are not cleaned up correctly, leaving dangling pointers. Subsequent operations can walk those pointers back into freed heap memory. The result can be a crash or crafted heap corruption, potentially enabling further exploitation. The flaw was published on July 10, 2025, and vendors like Oracle, SUSE and Red Hat issued patches by the end of July.

Conclusion

If you run any service or application that relies on libxslt or libxml2, you should install the vendor security updates immediately. Oracle Linux 8, SUSE Enterprise Linux, Red Hat Enterprise Linux 8 and 9, and associated container platforms all provide patched packages. Applying these updates will close the use-after-free hole and protect your systems from crashes or malicious heap tampering.

This chain involves the following actors

• Attacker: Crafts and delivers malicious transformation to exploit the vulnerability
• System Administrator: Applies patches and monitors for updates

This following systems are involved

• libxslt (Library that performs Extensible Stylesheet Language Transformations): Contains the vulnerable key() function
• Application using libxml2 bindings (Host program that calls libxslt to process XSLT documents): Exposes the key() entry point to user-supplied stylesheets

Attack entry point

• User-supplied XSLT document: Inputs a stylesheet with specially crafted key() definitions
• key() function in libxslt: Performs index lookups and tree fragment creation that trigger the flaw

Remediation actions

Exploitation actions

• https://access.redhat.com/errata/RHSA-2025:12447
• https://access.redhat.com/errata/RHSA-2025:12450
• https://access.redhat.com/security/cve/CVE-2025-7425
• https://bugzilla.redhat.com/show_bug.cgi?id=2379274
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
• [2025-07-30] SUSE reports a critical heap corruption vulnerability in libxml2, identified as CVE-2025-7425.
• [2025-08-02] Oracle Linux 8 receives an important security update for libxml2 to fix CVE-2025-7425.
• [2025-07-10] A critical vulnerability in libxslt's key function of the Attribute Type Handler component has been discovered, allowing for a buffer overflow exploit.