CVE-2025-15646
Severity CVSS v4.0:
Pending analysis
Type:
CWE-125
Out-of-bounds Read
Publication date:
01/07/2026
Last modified:
02/07/2026
Description
HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion.<br />
<br />
Support for the element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses.<br />
<br />
Any caller that runs parse() with the default format => &#39;string&#39;, or with format => &#39;tree&#39;, on input containing a element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => &#39;callback&#39; reaches a croak on the unhandled node type and is unaffected.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL



