HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion.

Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses.

Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

Project Subscriptions

No data.

Advisories

No advisories yet.

Fixes

Solution

Upgrade to HTML-Gumbo 0.19 or later, which adds GUMBO_NODE_TEMPLATE to the container node types handled by walk_tree.


Workaround

No workaround given by the vendor.

History

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.
Title HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion
Weaknesses CWE-125
CWE-843
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-07-01T14:38:03.727Z

Reserved: 2026-05-22T10:47:01.107Z

Link: CVE-2025-15646

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses