CVE-2025-15646

NameCVE-2025-15646
DescriptionHTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104789

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libhtml-gumbo-perl (PTS)bullseye0.18-2vulnerable
bookworm0.18-3+deb12u1fixed
trixie0.18-5fixed
forky, sid0.20-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libhtml-gumbo-perlsourcebookworm0.18-3+deb12u1
libhtml-gumbo-perlsource(unstable)0.18-51104789

Notes

[bullseye] - libhtml-gumbo-perl <postponed> (Minor issue)
https://lists.security.metacpan.org/cve-announce/msg/41446255/
https://github.com/ruz/HTML-Gumbo/issues/6
https://github.com/bestpractical/html-gumbo/commit/15c0598909d4a64f47ef0a1abc5051f4e113c186 (0.19)

Search for package or bug name: Reporting problems