Skip to main content
Version: latest

CVE-2024-25062

CVE Details

Visit the official vulnerability details page for CVE-2024-25062 to learn more.

Initial Publication

01/20/2025

Last Update

09/02/2025

Third Party Dependency

libxml2

NIST CVE Summary

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

CVE Severity

7.5

Our Official Summary

A use-after-free flaw exists in libxml2's xmlValidatePopElement function when using the XML Reader interface with both DTD validation and XInclude expansion enabled. Processing specially crafted XML documents under these conditions can lead to memory corruption, potentially causing application crashes or enabling arbitrary code execution.

Risk of exploitation is low for our products as attacker has to gain privilged access to the container and run code on the container to be able to exploit this. Probability of exploitation is very low. If a fix becomes available upstream, that will be adopted to fix this vulnerability.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.7.16⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.6.41⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.5.22⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact

Revision History

DateRevision
05/29/2025Status changed from Open to Ongoing
05/29/2025Official summary added