CVE-2025-49795
CVE Details
Visit the official vulnerability details page for CVE-2025-49795 to learn more.
Initial Publication
06/13/2025
Last Update
09/21/2025
Third Party Dependency
libxml2
NIST CVE Summary
A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.
CVE Severity
Our Official Summary
This is a high-severity null pointer dereference in libxml2—specifically within the xmlSchematronFormatReport function—triggered by malformed XPath expressions, allowing for a denial-of-service (DoS) attack.
This vulnerability impacts libxml2 processing of XPath in XML schemas, enabling remote DoS via null pointer dereference. In SpectroCloud environments, the container image is isolated from external exposure, containers do not consume malicious XML inputs by design, and hardened execution policies confine any impact to single containers—making overall risk minimal.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.20 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 08/12/2025 | Status changed from Open to Ongoing |
| 08/12/2025 | Official summary added |
| 06/17/2025 | Advisory assigned with HIGH severity |