CVE-2025-7425: 
Apple Safari vulnerability analysis and mitigation

CVE-2025-7425 is a Use-After-Free vulnerability discovered in libxslt, disclosed on July 10, 2025. The vulnerability affects the libxslt package, which is commonly used in server-side XML processing. The flaw was identified when attribute type (atype) flags are modified in a way that corrupts internal memory management (NVD, Red Hat XML).

The vulnerability occurs when xsltSetSourceNodeFlags() sets extra flag bits on xmlAttrPtr->atype, a field later used by libxml2 to check whether an attribute is an XML ID. This corruption can cause libxml2 to skip cleanup steps like xmlRemoveID() during memory deallocation. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H. The flaw is classified as CWE-416 (Use After Free) (Red Hat Bugzilla, Snyk).

The vulnerability can lead to memory corruption and application crashes. Since libxslt is commonly used in server-side XML processing, this could result in denial-of-service or potentially facilitate code execution under certain memory reuse conditions. The system may access freed memory, causing crashes or enabling attackers to trigger heap corruption (Red Hat XML).

According to Red Hat, mitigation for this issue is either not available or the currently available options do not meet their Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability (Red Hat XML).

Red Hat has acknowledged the vulnerability and credited Sergei Glazunov from Google Project Zero for reporting this issue (Red Hat XML).