CVE-2025-6497: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in HTACG tidy-html5 version 5.8.0, identified as CVE-2025-6497, disclosed on June 22, 2025. The issue affects the prvTidyParseNamespace function in the src/parser.c file and involves a reachable assertion vulnerability. The vulnerability was discovered during fuzzing tests using Clang 18.1.8 on Ubuntu 20.04.6 LTS (GitHub Issue, VulDB Submit).

The vulnerability is located in the prvTidyParseNamespace function within src/parser.c at line 4120, resulting in a failed assertion of the 'parent' parameter. The issue has received a CVSS v4.0 score of 4.8 (MEDIUM) with the vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P, while the CVSS v3.1 score is 3.3 (LOW) with the vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (VulDB).

The vulnerability can lead to a denial of service condition through a reachable assertion failure when specially crafted input is processed. The impact is limited to local systems where the tidy-html5 library is deployed (VulDB).

There is currently no information available about possible countermeasures or patches. It is suggested to consider replacing the affected software with an alternative product until a fix is available (VulDB).