JLSEC-2025-80

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-80.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-80.json

JSON Data

https://api.test.osv.dev/v1/vulns/JLSEC-2025-80

Upstream

CVE-2023-29469

Published

2025-10-17T17:40:51.659Z

Modified

2025-11-03T00:19:27.680802Z

Summary

An issue was discovered in libxml2 before 2.10.4

Details

An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).

Database specific

{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29469",
            "imported": "2025-10-28T18:09:09.633Z",
            "id": "CVE-2023-29469",
            "modified": "2025-02-04T21:15:23.447Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2023-29469",
            "published": "2023-04-24T21:15:09.230Z"
        }
    ]
}

References

Affected packages

Julia / XML2_jll

Package

Name: XML2_jll
Purl: pkg:julia/XML2_jll?uuid=02c8fc9c-b97f-50b9-bbe4-9be30ff0a78a

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.10.4+0

Introduced

2.11.5+0

Fixed

2.12.0+0