CVE Catalog

CVE-2025-15646

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.66%

47th percentile — higher than 47% of all known CVEs

Summary

A vulnerability in HTML::Gumbo for Perl before version 0.19 discloses heap memory via type confusion. The walk_tree function does not support the <template> element, treating it as a text node, causing strlen() to over-read the heap block.

Risk Assessment

An attacker can provide input containing a <template> element, causing heap memory fragments to leak into the parsing result. This may expose sensitive data such as keys, passwords, or other confidential information stored in the process memory.

Recommendation

Immediately update HTML::Gumbo to version 0.19 or later. If an update is not possible, avoid using 'string' or 'tree' formats on input containing a <template> element.

Original NVD description (English source)

HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS