CVE-2025-49794
CVE Details
Visit the official vulnerability details page for CVE-2025-49794 to learn more.
Initial Publication
06/13/2025
Last Update
09/02/2025
Third Party Dependency
libxml2
NIST CVE Summary
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.
CVE Severity
Our Official Summary
A use-after-free vulnerability has been identified in libxml2 (xmlSchematronGetNode) that can be exploited via maliciously crafted XML documents, particularly involving <sch:name path="..."/> Schematron elements. This may result in application crashes or unpredictable behavior when processing untrusted XML.
This issue is of low risk as containers where this is reported are not accessible without privileged access. Impact of exploitation is also low since the attack surface is restricted to containers and they do not allow execution of arbitraty code.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 06/17/2025 | Status changed from Open to Ongoing |
| 06/17/2025 | Official summary added |
| 06/17/2025 | Advisory assigned with CRITICAL severity |