Vulnerability · NVD

CVE-2025-24855

HIGH 7.8 Published on 2025-03-11

numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

EPSS 0.09% exploit very unlikely percentile 25.0%

OS versions that fix this CVE

This CVE is resolved by the following OS security releases. Update the OS to at least the listed version.

iOS Fixed in 18.3
iPadOS Fixed in 18.3 17.7.4
macOS Fixed in 15.3 14.7.3 13.7.3

View on NVD ↗