CVE-2025-15646
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk47th percentile — higher than 47% of all known CVEs
Summary
A vulnerability in HTML::Gumbo for Perl before version 0.19 discloses heap memory via type confusion. The walk_tree function does not support the <template> element, treating it as a text node, causing strlen() to over-read the heap block.
Risk Assessment
An attacker can provide input containing a <template> element, causing heap memory fragments to leak into the parsing result. This may expose sensitive data such as keys, passwords, or other confidential information stored in the process memory.
Recommendation
Immediately update HTML::Gumbo to version 0.19 or later. If an update is not possible, avoid using 'string' or 'tree' formats on input containing a <template> element.
Original NVD description (English source)
HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

