Uncontrolled Recursion in libxml2

CVE-2025-9714

libxml2
libxml
libxmljs
libxml2-nodejs
lxml

Medium

5.5/10

Summary

Uncontrolled recursion in XPath evaluation in libxml2 versions through 2.9.14 allow a local attacker to cause a Stack Overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a Stack Overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-674 - Uncontrolled Recursion

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

References

Advisory

Advisory Timeline

Published Sep 10, 2025

Uncontrolled Recursion in libxml2

CVE-2025-9714

Summary

CWE-674 - Uncontrolled Recursion

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS