CVE-2025-9714: 
NixOS vulnerability analysis and mitigation

CVE-2025-9714 is a vulnerability discovered in libxml2, affecting versions up to and including 2.9.14. The vulnerability was disclosed on September 10, 2025, and involves uncontrolled recursion in XPath evaluation functionality. This security flaw affects the core XML processing capabilities of the libxml2 library, which is widely used in various software systems (NVD, Debian Tracker).

The vulnerability stems from XPath processing functions xmlXPathRunEval, xmlXPathCtxtCompile, and xmlXPathEvalExpr resetting recursion depth to zero before making potentially recursive calls. When these functions were called recursively, it could lead to uncontrolled recursion and subsequently cause a stack overflow. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) by NIST and 6.2 (Medium) by Canonical Ltd., with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability allows a local attacker to cause a stack overflow through crafted expressions, potentially leading to denial of service conditions. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (NVD).

The vulnerability has been fixed in libxml2 version 2.10.0 and later releases. The fix involves modifying the affected functions to preserve recursion depth across recursive calls, allowing proper control of recursion depth. Users are advised to upgrade to the fixed version (Debian Tracker).