How to fix CVE-2025-49795?

Within 24 hours: inventory systems running libxml2 across Red Hat Enterprise Linux 10, Ubuntu, Debian, and SUSE distributions. Within 7 days: apply vendor-released patches (Red Hat: libxml2-2.12.5-7.el10_0 or later; SUSE and upstream libxml2 project equivalent versions) to all affected systems, prioritizing internet-facing and XML-processing applications. Within 30 days: validate patching completion through package verification and conduct application testing to confirm XPath functionality post-update.

CVE-2025-49795

EUVD-2025-18416 HIGH

2025-06-16 [email protected]

Denial Of Service

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 19, 2026 - 20:31 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 19, 2026 - 20:22 vuln.today

cvss_changed

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18416

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

PoC Detected

Oct 27, 2025 - 18:15 vuln.today

Public exploit code

CVE Published

Jun 16, 2025 - 16:15 nvd

HIGH 7.5

DescriptionNVD

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

AnalysisAI

NULL pointer dereference in libxml2's XPath processing engine crashes applications parsing untrusted XML. Affects all major Linux distributions including Red Hat Enterprise Linux 10, Ubuntu (10 releases), Debian (8 releases), and SUSE. Remote unauthenticated attackers can trigger denial of service by sending crafted XPath expressions embedded in XML documents. Publicly available exploit code exists (GitHub gist). EPSS score is low (0.15%, 36th percentile) indicating limited widespread exploitation observed, and not currently listed in CISA KEV. Vendor patches available from Red Hat (2.12.5-7.el10_0), SUSE, and upstream libxml2 project.

Technical ContextAI

libxml2 is a foundational XML parsing library used extensively across Linux/Unix systems and embedded in countless applications, web servers, programming language runtimes (Python, PHP, Ruby), and system utilities. The vulnerability resides in the XPath expression evaluation engine, which traverses XML document trees using path notation. CWE-825 (expired pointer dereference) indicates the code attempts to access memory through a NULL pointer during XPath processing, likely when handling malformed or edge-case XPath syntax against specific XML structures. Because XPath evaluation is triggered automatically when applications process user-supplied XML containing embedded XPath expressions (common in XSLT transformations, XML queries, and configuration files), the attack surface is broad. The vulnerability affects the core libxml2 library rather than a specific application, meaning exploitation impacts any software statically or dynamically linked against vulnerable libxml2 versions.

RemediationAI

Apply vendor-provided patches immediately for systems processing untrusted XML. Red Hat Enterprise Linux 10 users should upgrade to libxml2 2.12.5-7.el10_0 via RHSA-2025:10630 (https://access.redhat.com/errata/RHSA-2025:10630). Ubuntu and Debian users should apply updates through standard package managers as tracked in their security advisories. SUSE customers should deploy SUSE-SU-2025:02260 or SUSE-SU-2025:02314 depending on version (https://www.suse.com/support/update/SUSE-SU-2025:02260/). For environments where immediate patching is infeasible, implement compensating controls: disable XPath functionality in applications if not required (consult application documentation for flags like --noxpath or configuration settings), restrict XML input sources to trusted origins only via firewall rules or application logic, deploy rate limiting and resource quotas to contain denial-of-service impact, and enable application-level input validation to reject XML documents containing XPath expressions before passing to libxml2. Note that disabling XPath may break legitimate application features like XSLT transformations or XQuery functionality. Service restarts are automatically mitigated by application restart mechanisms, making this lower priority than RCE vulnerabilities, but repeated crashes can constitute effective availability attacks against public-facing services.

Vendor StatusVendor

Ubuntu

Priority: Medium

libxml2

Release	Status	Version
upstream	needs-triage	-
trusty	not-affected	code not present
oracular	ignored	end of life, was needs-triage
bionic	not-affected	code not present
focal	not-affected	code not present
jammy	not-affected	code not present
noble	not-affected	code not present
plucky	not-affected	code not present
xenial	not-affected	code not present
questing	released	2.14.5+dfsg-0.2

Debian

libxml2

Release	Status	Fixed Version	Urgency
bullseye	fixed	2.9.10+dfsg-6.7+deb11u4	-
bullseye (security)	fixed	2.9.10+dfsg-6.7+deb11u9	-
bookworm	fixed	2.9.14+dfsg-1.3~deb12u5	-
bookworm (security)	fixed	2.9.14+dfsg-1.3~deb12u4	-
trixie	fixed	2.12.7+dfsg+really2.9.14-2.1+deb13u2	-
trixie (security)	fixed	2.12.7+dfsg+really2.9.14-2.1+deb13u1	-
forky, sid	fixed	2.15.1+dfsg-2	-
(unstable)	not-affected	-	-

CVE-2025-49795 vulnerability details – vuln.today

Back

CVE-2025-49795

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code