CVE-2025-6490: 
Linux Debian vulnerability analysis and mitigation

A vulnerability (CVE-2025-6490) was discovered in sparklemotion nokogiri affecting the hashmapsetwith_hash function in the gumbo-parser/src/hashmap.c file. The issue was identified in commit c29c920907366cb74af13b4dc2230e9c9e23b833 and was disclosed on June 21, 2025. The vulnerability is classified as a heap-based buffer overflow issue, and its real existence was initially disputed (NVD, VulDB).

The vulnerability occurs during memory operations when processing input data, specifically during the manipulation of hash map entries. The issue arises when passing a character string of variable length while always copying 8 bytes into the item, which becomes problematic when the string length exceeds 8 bytes. The vulnerability has received a CVSS v4.0 score of 4.8 (MEDIUM) and CVSS v3.1 score of 3.3 (LOW), with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (GitHub PR, VulDB).

The exploitation of this vulnerability could lead to heap memory corruption, potentially resulting in application crashes or denial of service conditions. The attack requires local access to be executed (VulDB).

A patch has been developed and merged into the main branch through commit ada4708e5a67114402cd3feb70a4e1d1d7cf773a. The fix involves ensuring the proper use of char* pointer as the hashmap item instead of directly passing character strings of variable length (GitHub PR).

The project maintainer has noted that the affected code was merged into the main branch but never appeared in an official release. The vulnerability was initially reported by Yifan Zhang and subsequently verified through security testing (GitHub Issue).