How to fix CVE-2025-9714?

Within 30 days: Identify affected systems running XPath evaluation in libxml2 and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Libxml2 affected by CVE-2025-9714?

Organizations using XPath evaluation in libxml2 should be aware of moderate risk from CVE-2025-9714 rated CVSS 6.2. Exploitation could compromise the security of affected deployments. A patch is available and should be applied during regular vulnerability management.

CVE-2025-9714

MEDIUM

2025-09-10 [email protected]

6.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:11 vuln.today

Patch Released

Mar 28, 2026 - 19:11 nvd

Patch available

CVE Published

Sep 10, 2025 - 19:15 nvd

MEDIUM 6.2

Description

Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.

Analysis

Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity.

Technical Context

This vulnerability is classified under CWE-674. Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions `xmlXPathRunEval`, `xmlXPathCtxtCompile`, and `xmlXPathEvalExpr` were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled. Affected products include: Xmlsoft Libxml2. Version information: version 2.9.14.

Affected Products

Xmlsoft Libxml2.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +31

POC: 0

Vendor Status

CVE-2025-9714 vulnerability details – vuln.today

Back

CVE-2025-9714

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-9714

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code