libxslt -- unmaintained, with multiple unfixed vulnerabilities

Alan Coopersmith reports:

On 6/16/25 15:12, Alan Coopersmith wrote:

BTW, users of libxml2 may also be using its sibling project, libxslt, which currently has no active maintainer, but has three unfixed security issues reported against it according to https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt

2 of the 3 have now been disclosed:

(CVE-2025-7424) libxslt: Type confusion in xmlNode.psvi between stylesheet and source nodes
https://gitlab.gnome.org/GNOME/libxslt/-/issues/139 https://project-zero.issues.chromium.org/issues/409761909

(CVE-2025-7425) libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption
https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
https://project-zero.issues.chromium.org/issues/410569369

Engineers from Apple & Google have proposed patches in the GNOME gitlab issues, but neither has had a fix applied to the git repo since there is currently no maintainer for libxslt.

[source]

Note that a fourth vulnerability was reported on June 18, 2025, which remains undisclosed to date (GNOME libxslt issue 148, link below), see https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025#libxml2-and-libxslt