Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-45525

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-17 Jun, 2025 | 00:00
Updated At-26 Aug, 2025 | 18:51
Rejected At-
Credits

A NULL pointer dereference vulnerability has been identified in the JavaScript library microlight version 0.0.7, a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash. NOTE: this is disputed by multiple parties because there is no common scenario in which an adversary can insert those non-standard values.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:17 Jun, 2025 | 00:00
Updated At:26 Aug, 2025 | 18:51
Rejected At:
▼CVE Numbering Authority (CNA)

A NULL pointer dereference vulnerability has been identified in the JavaScript library microlight version 0.0.7, a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash. NOTE: this is disputed by multiple parties because there is no common scenario in which an adversary can insert those non-standard values.

Affected Products
Vendor
asvd
Product
microlight
Default Status
unaffected
Versions
Affected
  • From 0 through 0.0.7 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-476CWE-476 NULL Pointer Dereference
Type: CWE
CWE ID: CWE-476
Description: CWE-476 NULL Pointer Dereference
Metrics
VersionBase scoreBase severityVector
3.12.9LOW
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Version: 3.1
Base score: 2.9
Base severity: LOW
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://gist.github.com/Rootingg/843368931f70886bed3cf982f10a4424
N/A
https://github.com/github/advisory-database/pull/5730
N/A
Hyperlink: https://gist.github.com/Rootingg/843368931f70886bed3cf982f10a4424
Resource: N/A
Hyperlink: https://github.com/github/advisory-database/pull/5730
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:17 Jun, 2025 | 20:15
Updated At:26 Aug, 2025 | 19:15

A NULL pointer dereference vulnerability has been identified in the JavaScript library microlight version 0.0.7, a lightweight syntax highlighting library. When processing elements with non-standard CSS color values, the library fails to validate the result of a regular expression match before accessing its properties, leading to an uncaught TypeError and potential application crash. NOTE: this is disputed by multiple parties because there is no common scenario in which an adversary can insert those non-standard values.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.12.9LOW
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Type: Secondary
Version: 3.1
Base score: 2.9
Base severity: LOW
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-476Primarycve@mitre.org
CWE ID: CWE-476
Type: Primary
Source: cve@mitre.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gist.github.com/Rootingg/843368931f70886bed3cf982f10a4424cve@mitre.org
N/A
https://github.com/github/advisory-database/pull/5730cve@mitre.org
N/A
Hyperlink: https://gist.github.com/Rootingg/843368931f70886bed3cf982f10a4424
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://github.com/github/advisory-database/pull/5730
Source: cve@mitre.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2025-45526
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-2.9||LOW
EPSS-0.02% / 3.38%
||
7 Day CHG~0.00%
Published-17 Jun, 2025 | 00:00
Updated-26 Jun, 2025 | 16:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A denial of service (DoS) vulnerability has been identified in the JavaScript library microlight version 0.0.7. This library, used for syntax highlighting, does not limit the size of textual content it processes in HTML elements with the microlight class. When excessively large content (e.g., 100 million characters) is processed, the reset function in microlight.js consumes excessive memory and CPU resources, causing browser crashes or unresponsiveness. An attacker can exploit this vulnerability by tricking a user into visiting a malicious web page containing a microlight element with large content, resulting in a denial of service. NOTE: this is disputed by multiple parties because a large amount of memory and CPU resources is expected to be needed for content of that size.

Action-Not Available
Vendor-asvd
Product-microlight
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-56430
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.9||LOW
EPSS-0.06% / 19.10%
||
7 Day CHG~0.00%
Published-25 Dec, 2024 | 00:00
Updated-27 Aug, 2025 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenFHE through 1.2.3 has a NULL pointer dereference in BinFHEContext::EvalFloor in lib/binfhe-base-scheme.cpp.

Action-Not Available
Vendor-OpenFHE
Product-OpenFHE
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-43966
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.9||LOW
EPSS-0.06% / 18.10%
||
7 Day CHG+0.01%
Published-20 Apr, 2025 | 00:00
Updated-08 May, 2025 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

libheif before 1.19.6 has a NULL pointer dereference in ImageItem_iden in image-items/iden.cc.

Action-Not Available
Vendor-strukturstruktur
Product-libheiflibheif
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-43967
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.9||LOW
EPSS-0.07% / 20.52%
||
7 Day CHG+0.01%
Published-20 Apr, 2025 | 00:00
Updated-08 May, 2025 | 16:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

libheif before 1.19.6 has a NULL pointer dereference in ImageItem_Grid::get_decoder in image-items/grid.cc because a grid image can reference a nonexistent image item.

Action-Not Available
Vendor-strukturstruktur
Product-libheiflibheif
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2023-47466
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.9||LOW
EPSS-0.02% / 2.64%
||
7 Day CHG~0.00%
Published-22 May, 2025 | 00:00
Updated-02 Jul, 2025 | 00:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TagLib before 2.0 allows a segmentation violation and application crash during tag writing via a crafted WAV file in which an id3 chunk is the only valid chunk.

Action-Not Available
Vendor-taglibTagLib
Product-taglibTagLib
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2025-27113
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.9||LOW
EPSS-0.06% / 17.04%
||
7 Day CHG~0.00%
Published-18 Feb, 2025 | 00:00
Updated-07 Mar, 2025 | 01:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

Action-Not Available
Vendor-libxml2 (XMLSoft)
Product-libxml2libxml2
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2022-41972
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-2.9||LOW
EPSS-0.03% / 5.11%
||
7 Day CHG~0.00%
Published-16 Dec, 2022 | 17:37
Updated-17 Apr, 2025 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Contiki-NG contains NULL Pointer Dereference in BLE L2CAP module

Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. Versions prior to 4.9 contain a NULL Pointer Dereference in BLE L2CAP module. The Contiki-NG operating system for IoT devices contains a Bluetooth Low Energy stack. An attacker can inject a packet in this stack, which causes the implementation to dereference a NULL pointer and triggers undefined behavior. More specifically, while processing the L2CAP protocol, the implementation maps an incoming channel ID to its metadata structure. In this structure, state information regarding credits is managed through calls to the function input_l2cap_credit in the module os/net/mac/ble/ble-l2cap.c. Unfortunately, the input_l2cap_credit function does not check that the metadata corresponding to the user-supplied channel ID actually exists, which can lead to the channel variable being set to NULL before a pointer dereferencing operation is performed. The vulnerability has been patched in the "develop" branch of Contiki-NG, and will be included in release 4.9. Users can apply the patch in Contiki-NG pull request #2253 as a workaround until the new package is released.

Action-Not Available
Vendor-contiki-ngcontiki-ng
Product-contiki-ngcontiki-ng
CWE ID-CWE-476
NULL Pointer Dereference
Details not found