HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion
Summary
| CVE | CVE-2025-15646 |
|---|---|
| State | PUBLISHED |
| Assigner | CPANSec |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-01 16:16:29 UTC |
| Updated | 2026-07-01 18:16:25 UTC |
| Description | HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected. |
Risk And Classification
Problem Types: CWE-125 | CWE-843 | CWE-843 CWE-843 Access of Resource Using Incompatible Type (Type Confusion) | CWE-125 CWE-125 Out-of-bounds Read
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bugs.debian.org/1104789 | 9b29abf9-4ab0-4765-b253-1875cd9b441e | bugs.debian.org | |
| metacpan.org/release/BPS/HTML-Gumbo-0.19/changes | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | |
| www.openwall.com/lists/oss-security/2026/07/01/7 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| github.com/bestpractical/HTML-Gumbo/commit/15c0598909d4a64f47ef0a1abc505... | 9b29abf9-4ab0-4765-b253-1875cd9b441e | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Vincent Lefevre (en)
CNA: Niko Tyni (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2015-04-30T00:00:00.000Z | Gumbo 0.10.0 released with support for the <template> element. |
| CNA | 2025-05-06T00:00:00.000Z | Reported to the Debian bug tracker (#1104789). |
| CNA | 2025-05-17T00:00:00.000Z | Fix committed upstream. |
| CNA | 2026-05-21T00:00:00.000Z | Version 0.19 released with fix. |
Solutions
CNA: Upgrade to HTML-Gumbo 0.19 or later, which adds GUMBO_NODE_TEMPLATE to the container node types handled by walk_tree.
There are currently no legacy QID mappings associated with this CVE.