Vulnerability DatabaseCVE-2025-27113

CVE-2025-27113:
NixOS vulnerability analysis and mitigation

Overview

A NULL pointer dereference vulnerability (CVE-2025-27113) was discovered in libxml2, affecting versions before 2.12.10 and 2.13.x before 2.13.6. The vulnerability specifically exists in the xmlPatMatch function within pattern.c (NVD Database, Debian Tracker).

Technical details

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H by NIST, while MITRE assigned a lower score of 2.9 (LOW) with vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified as a NULL Pointer Dereference (CWE-476) (NVD Database).

Impact

The successful exploitation of this vulnerability could lead to Denial of Service (DoS) conditions in affected systems. The vulnerability primarily affects the availability of the system, with no direct impact on confidentiality or integrity (NetApp Advisory).

Mitigation and workarounds

Users are strongly encouraged to update to libxml2 versions 2.12.10 or 2.13.6, which contain fixes for this vulnerability. The issue has been addressed through patches, and fixes are available in the latest releases (Security Online).

Additional resources

Source: This report was generated using AI

7.5

Score

Published February 18, 2025

Severity HIGH

CNA Score 2.9

Affected Technologies

NixOS
CBL Mariner

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 15.3

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

libxml2
libxml2-devel

Sources

NVD
Alpine Security Tracker
- Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18 Severity HIGHHas FixAdded at: Mar 02, 2025
- Alpine 3.19, 3.20, 3.21, edge Severity HIGHHas FixAdded at: Mar 11, 2025
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
CBL-Mariner
- CBL-Mariner 2.0 Severity LOWHas FixAdded at: Mar 02, 2025
- CBL-Mariner 3.0 Severity LOWHas FixAdded at: May 04, 2025
Container-Optimized OS Release Notes
- Container-Optimized OS Severity HIGHHas FixAdded at: Mar 16, 2025
Debian Security Tracker
- Debian 11, 13 Severity HIGHHas FixAdded at: Feb 20, 2025
- Debian 12 Severity HIGHNo FixAdded at: Feb 20, 2025
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Mar 02, 2025
Nix
- Nix Severity HIGHHas FixAdded at: Mar 02, 2025
Photon Security Advisory
- Photon 4.0, 5.0 Severity LOWHas FixAdded at: Mar 09, 2025
Red Hat Errata
- Red Hat 6, 7, 8, 9 Severity LOWNo FixAdded at: Feb 20, 2025
- Red Hat 10 Severity LOWNo FixAdded at: May 22, 2025
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04, 24.10 Severity MEDIUMHas FixAdded at: Feb 23, 2025
- Ubuntu 25.04 Severity MEDIUMHas FixAdded at: May 08, 2025