LiveActive security incident?Get immediate response
CVE Record

CVE-2025-8732: libxml2 xmlcatalog xmlParseSGMLCatalog recursion

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

MediumCVSS 4.8Not KEV-listedUpdated
Glexia's Takelow

Analyst readout for executives and security teams

Plain-English summary

CVE-2025-8732 is a reported libxml2 issue where local use of xmlcatalog with an untrusted SGML catalog may cause uncontrolled recursion and limited availability impact. Practical business urgency appears low because local access is required, the affected feature is niche, and the maintainer questioned real-world relevance.

Executive priority

Treat as low-priority unless libxml2 2.14.x is deployed in workflows that consume untrusted SGML catalogs. Prioritize inventory and vendor monitoring over emergency response. Escalate only if a critical product advisory maps this CVE to a business-relevant system.

Technical view

The report affects libxml2 2.14.0 through 2.14.5 in xmlcatalog, specifically xmlParseSGMLCatalog. Manipulated input can trigger uncontrolled recursion, mapped to CWE-404 and CWE-674. CVSS v4.0 is 4.8 with local attack vector, low complexity, low availability impact, and no confidentiality or integrity impact.

Likely exposure

Exposure is most plausible on systems running libxml2 2.14.0-2.14.5 where local users or jobs process SGML catalogs from untrusted sources. General web-facing exposure is not supported by the provided sources.

Exploitation context

VulDB states a public exploit was disclosed and may be used, but CISA KEV status is false in the bundle. The source also says local attacking is required, and the maintainer doubted practical exploitability because untrusted SGML catalogs are unusual.

Researcher notes

Evidence is mixed: the CVE record and VulDB describe uncontrolled recursion and public exploit disclosure, while the maintainer questions whether the issue is meaningful in real deployments. Avoid assuming remote exposure, active exploitation, or a fixed version without updated vendor confirmation.

Mitigation direction

  • Inventory systems using libxml2 versions 2.14.0 through 2.14.5.
  • Avoid processing SGML catalogs from untrusted or user-controlled sources.
  • Restrict local access to workflows that invoke xmlcatalog or parse SGML catalogs.
  • Monitor libxml2, OS distribution, and vendor advisories for confirmed fixes.
  • Review Siemens advisory SSA-253495 where Siemens products are in scope.

Validation and detection

  • Confirm installed libxml2 versions through asset and package inventories.
  • Identify applications, scripts, or jobs that call xmlcatalog.
  • Check whether SGML catalogs originate from trusted administrative sources only.
  • Review local permissions around catalog files and catalog-processing workflows.
  • Track CVE and vendor records for updated affected-version or fix information.
Prepared
Confidence
medium
Sources
8

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-404: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-674: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-8732 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
4.8 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

4CVSS vectors
6Timeline events
2ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

4 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
4.8CVSS 4.0MediumCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:PVulDB
3.3CVSS 3.1LowCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C1.81.4VulDB
3.3CVSS 3.0LowCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:C1.81.4VulDB
1.7CVSS 2.0LowAV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:C3.12.9VulDB

Vulnerability scoring details

Base CVSS 4.0 score

4.8Medium
CVSS 4.0 vector shape for CVE-2025-8732Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timelineVulDB

    Advisory disclosed

  2. Source timelineVulDB

    VulDB entry created

  3. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  4. Source timelineVulDB

    VulDB entry last update

  5. CVE publishedCVE Program

    The CVE record was published.

  6. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/alibxml22.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-404 · source CWE mapping

Improper Resource Shutdown or Release

Improper Resource Shutdown or Release represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

CWE-674 · source CWE mapping

Uncontrolled Recursion

Uncontrolled Recursion represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.