Back to overview

CVE-2025-15646

CRITICAL
9.8
CVSS 3.1
Description
HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

Metadata

CVE ID
CVE-2025-15646
State
PUBLISHED
Assigner
CPANSec
Reserved
2026-05-22 10:47 UTC
Published
2026-07-01 14:38 UTC
Last updated
2026-07-01 18:09 UTC
Primary CWE
CWE-843
CWE-843 Access of Resource Using Incompatible Type (Type Con…
Vendor / Product
BPS / HTML::Gumbo
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
BPS HTML::Gumbo 0 < 0.19
Weakness (CWE)
CWESourceDescription
CWE-125 cna CWE-125 Out-of-bounds Read
CWE-843 cna CWE-843 Access of Resource Using Incompatible Type (Type Confusion)
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 adp CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Back to overview