CVE-2024-25062
CVE Details
Visit the official vulnerability details page for CVE-2024-25062 to learn more.
Initial Publication
01/20/2025
Last Update
09/02/2025
Third Party Dependency
libxml2
NIST CVE Summary
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
CVE Severity
Our Official Summary
A use-after-free flaw exists in libxml2's xmlValidatePopElement function when using the XML Reader interface with both DTD validation and XInclude expansion enabled. Processing specially crafted XML documents under these conditions can lead to memory corruption, potentially causing application crashes or enabling arbitrary code execution.
Risk of exploitation is low for our products as attacker has to gain privilged access to the container and run code on the container to be able to exploit this. Probability of exploitation is very low. If a fix becomes available upstream, that will be adopted to fix this vulnerability.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.22 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 05/29/2025 | Status changed from Open to Ongoing |
| 05/29/2025 | Official summary added |