HSEC-2025-0003

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2025/HSEC-2025-0003.json

JSON Data

https://api.osv.dev/v1/vulns/HSEC-2025-0003

Aliases

CVE-2025-31115
GHSA-6cc8-p5mm-29w2

Published

2025-04-03T17:14:19Z

Modified

2025-07-27T20:43:48.553804Z

Summary

Use after free in multithreaded lzma (.xz) decoder

Details

Use after free in multithreaded lzma (.xz) decoder

In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash (CVE-2025-31115). The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected.

The Haskell xz-clib library vendors and builds the C implementation. The xz package does not use the multithreaded decoder and is therefore unaffected.

Database specific

{
    "home": "https://haskell.github.io/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "repository": "https://github.com/haskell/security-advisories"
}

References

Affected packages

Hackage / xz-clib

Package

Name: xz-clib
Purl: pkg:hackage/xz-clib

Severity

5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.6.3

Fixed

5.8.1

Affected versions

5.*

5.6.3

5.6.4

5.8.0

5.8.0.1

Database specific

{
    "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2025/HSEC-2025-0003.json",
    "human_link": "https://haskell.github.io/security-advisories/advisory/HSEC-2025-0003.html"
}