A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."
CVE-2025-8732 is a reported libxml2 issue where local use of xmlcatalog with an untrusted SGML catalog may cause uncontrolled recursion and limited availability impact. Practical business urgency appears low because local access is required, the affected feature is niche, and the maintainer questioned real-world relevance.
Executive priority
Treat as low-priority unless libxml2 2.14.x is deployed in workflows that consume untrusted SGML catalogs. Prioritize inventory and vendor monitoring over emergency response. Escalate only if a critical product advisory maps this CVE to a business-relevant system.
Technical view
The report affects libxml2 2.14.0 through 2.14.5 in xmlcatalog, specifically xmlParseSGMLCatalog. Manipulated input can trigger uncontrolled recursion, mapped to CWE-404 and CWE-674. CVSS v4.0 is 4.8 with local attack vector, low complexity, low availability impact, and no confidentiality or integrity impact.
Likely exposure
Exposure is most plausible on systems running libxml2 2.14.0-2.14.5 where local users or jobs process SGML catalogs from untrusted sources. General web-facing exposure is not supported by the provided sources.
Exploitation context
VulDB states a public exploit was disclosed and may be used, but CISA KEV status is false in the bundle. The source also says local attacking is required, and the maintainer doubted practical exploitability because untrusted SGML catalogs are unusual.
Researcher notes
Evidence is mixed: the CVE record and VulDB describe uncontrolled recursion and public exploit disclosure, while the maintainer questions whether the issue is meaningful in real deployments. Avoid assuming remote exposure, active exploitation, or a fixed version without updated vendor confirmation.
Mitigation direction
Inventory systems using libxml2 versions 2.14.0 through 2.14.5.
Avoid processing SGML catalogs from untrusted or user-controlled sources.
Restrict local access to workflows that invoke xmlcatalog or parse SGML catalogs.
Monitor libxml2, OS distribution, and vendor advisories for confirmed fixes.
Review Siemens advisory SSA-253495 where Siemens products are in scope.
Validation and detection
Confirm installed libxml2 versions through asset and package inventories.
Identify applications, scripts, or jobs that call xmlcatalog.
Check whether SGML catalogs originate from trusted administrative sources only.
Review local permissions around catalog files and catalog-processing workflows.
Track CVE and vendor records for updated affected-version or fix information.
Based on public source material and reviewed before publication.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-404: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-404 · source CWE mapping
Improper Resource Shutdown or Release
Improper Resource Shutdown or Release represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Uncontrolled Recursion represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.