HSEC-2025-0003

See a problem?
Import Source
https://github.com/haskell/security-advisories/blob/generated/osv-export/2025/HSEC-2025-0003.json
JSON Data
https://api.test.osv.dev/v1/vulns/HSEC-2025-0003
Aliases
Published
2025-04-03T17:14:19Z
Modified
2025-04-04T13:46:29.125680Z
Summary
Use after free in multithreaded lzma (.xz) decoder
Details

Use after free in multithreaded lzma (.xz) decoder

In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash (CVE-2025-31115). The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected.

The Haskell xz-clib library vendors and builds the C implementation. The xz package does not use the multithreaded decoder and is therefore unaffected.

References

Affected packages

Hackage / xz-clib

Package

Name
xz-clib
Purl
pkg:hackage/xz-clib

Severity

  • 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.6.3
Fixed
5.8.1

Affected versions

5.*

5.6.3
5.6.4
5.8.0
5.8.0.1