CVE-2025-15646
BPS · HTML::Gumbo
The HTML::Gumbo Perl module is vulnerable to heap memory disclosure due to type confusion when processing the <template> element, leading to unauthorized data exposure.
Executive summary
A heap memory disclosure vulnerability in BPS HTML::Gumbo allows attackers to leak sensitive memory contents through improper handling of elements.
Vulnerability
This is a heap memory disclosure vulnerability caused by type confusion within the walk_tree function. When the parser encounters a element, it incorrectly treats the node as a text-node, causing a buffer over-read that serializes heap memory into the output.
Business impact
The exposure of heap memory can lead to the disclosure of sensitive information, such as cryptographic keys, user session tokens, or internal application data. With a CVSS score of 9.8, this vulnerability poses a significant risk to data confidentiality, potentially enabling attackers to bypass other security controls using leaked memory fragments.
Remediation
Immediate Action: Update the BPS HTML::Gumbo Perl module to version 0.19 or later immediately.
Proactive Monitoring: Monitor applications using this library for unexpected performance degradation or abnormal memory usage patterns.
Compensating Controls: Use strict input validation to sanitize HTML input, preventing the inclusion of elements until the software is patched.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The risk posed by heap memory disclosure is severe, as it facilitates the compromise of sensitive data. All developers and system administrators using the HTML::Gumbo module should upgrade to the latest version to remediate the vulnerability and protect system confidentiality.