/ 
XML-LibXML-2.0209
/ XML::LibXML::AttributeHash
Security Advisories (1)
CVE-2026-8177 (2026-05-10)

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service.

NAME

XML::LibXML::AttributeHash - tie an XML::LibXML::Element to a hash to access its attributes

SYNOPSIS

tie my %hash, 'XML::LibXML::AttributeHash', $element;
$hash{'href'} = 'http://example.com/';
print $element->getAttribute('href') . "\n";

DESCRIPTION

This class allows an element's attributes to be accessed as if they were a plain old Perl hash. Attribute names become hash keys. Namespaced attributes are keyed using Clark notation.

my $XLINK = 'http://www.w3.org/1999/xlink';
tie my %hash, 'XML::LibXML::AttributeHash', $element;
$hash{"{$XLINK}href"} = 'http://localhost/';
print $element->getAttributeNS($XLINK, 'href') . "\n";

There is rarely any need to use XML::LibXML::AttributeHash directly. In general, it is possible to take advantage of XML::LibXML::Element's overloading. The example in the SYNOPSIS could have been written:

$element->{'href'} = 'http://example.com/';
print $element->getAttribute('href') . "\n";

The tie interface allows the passing of additional arguments to XML::LibXML::AttributeHash:

tie my %hash, 'XML::LibXML::AttributeHash', $element, %args;

Currently only one argument is supported, the boolean "weaken" which (if true) indicates that the tied object's reference to the element should be a weak reference. This is used by XML::LibXML::Element's overloading. The "weaken" argument is ignored if you don't have a working Scalar::Util::weaken.