Cyber Posture

CVE-2025-24855

HighPublic PoC

Published: 14 March 2025

Published
14 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
EPSS Score 0.0009 24.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24855 is a high-severity Use After Free (CWE-416) vulnerability in Xmlsoft Libxslt. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the use-after-free flaw in libxslt, directly eliminating the vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match
prevent

Mandates periodic vulnerability scanning to detect systems with vulnerable libxslt versions prior to exploitation.

SI-16 Memory Protection partial match
prevent

Implements memory protections such as ASLR and non-executable memory to mitigate exploitation of the use-after-free in nested XPath processing.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local use-after-free in libxslt with no privileges required, high attack complexity, scope change, and high integrity impact directly enables exploitation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

Deeper analysisAI

CVE-2025-24855 is a use-after-free vulnerability (CWE-416) in the numbers.c component of libxslt versions prior to 1.1.43. It arises during nested XPath evaluations, where an XPath context node can be modified but is never restored, affecting functions such as xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal. The vulnerability carries a CVSS v3.1 base score of 7.8 (High), with vector AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H.

A local attacker can exploit this vulnerability with high attack complexity, requiring no privileges or user interaction. Successful exploitation changes scope and results in high impacts to integrity and availability, though confidentiality is unaffected.

Mitigation details are available in advisories such as the GNOME libxslt GitLab issue at https://gitlab.gnome.org/GNOME/libxslt/-/issues/128 and the Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00015.html, published around the CVE disclosure on 2025-03-14.

Details

CWE(s)
CWE-416

Affected Products

xmlsoft
libxslt
≤ 1.1.43

CVEs Like This One

CVE-2024-55549Same product: Xmlsoft Libxslt
CVE-2024-56171Same vendor: Xmlsoft
CVE-2026-23336Shared CWE-416
CVE-2026-27916Shared CWE-416
CVE-2025-20626Shared CWE-416
CVE-2025-21858Shared CWE-416
CVE-2026-31454Shared CWE-416
CVE-2025-21700Shared CWE-416
CVE-2024-57995Shared CWE-416
CVE-2026-23412Shared CWE-416

References