CVE-2025-8732: 
Wolfi vulnerability analysis and mitigation

A vulnerability (CVE-2025-8732) was discovered in libxml2 versions up to 2.14.5, affecting the xmlParseSGMLCatalog function within the xmlcatalog component. The vulnerability was initially disclosed on August 8, 2025, and involves uncontrolled recursion when processing SGML catalogs (Ubuntu CVE, Snyk Report).

The vulnerability is classified with a CVSS v3.1 Base Score of 3.3 (Low), with the following vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L. The issue specifically affects the xmlParseSGMLCatalog function, where improper handling of recursion can lead to resource consumption issues. The vulnerability requires local access to exploit and has been categorized under CWE-404 (Improper Resource Shutdown or Release) and CWE-674 (Uncontrolled Recursion) (Snyk Report).

The vulnerability primarily affects system availability, with potential for reduced performance or interruptions in resource availability. While repeated exploitation is possible, it does not allow complete denial of service to legitimate users. The impact is limited to local attacks with no loss of confidentiality or integrity (Snyk Report).

Currently, there is no fixed version available for the affected libxml2 package. The vulnerability is under evaluation for various Ubuntu releases including 25.04, 24.04 LTS, 22.04 LTS, 20.04 LTS, 18.04 LTS, 16.04 LTS, and 14.04 LTS (Ubuntu CVE).

The vulnerability has gained attention in the cybersecurity community, particularly after being weaponized in Operation HollowQuill, where it was exploited as part of a sophisticated cyber espionage campaign targeting academic institutions and government agencies (Cybersecurity News).