%20--%3e%3csvg%20version='1.1'%20id='Layer_1'%20x='0px'%20y='0px'%20viewBox='0%200%20107.30001%20140.79999'%20xml:space='preserve'%20sodipodi:docname='mind_logo_positief.svg'%20width='107.30001'%20height='140.79999'%20xmlns:inkscape='http://www.inkscape.org/namespaces/inkscape'%20xmlns:sodipodi='http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd'%20xmlns='http://www.w3.org/2000/svg'%20xmlns:svg='http://www.w3.org/2000/svg'%3e%3cdefs%20id='defs29'%20/%3e%3csodipodi:namedview%20id='namedview29'%20pagecolor='%23505050'%20bordercolor='%23eeeeee'%20borderopacity='1'%20inkscape:showpageshadow='0'%20inkscape:pageopacity='0'%20inkscape:pagecheckerboard='0'%20inkscape:deskcolor='%23d1d1d1'%3e%3cinkscape:page%20x='0'%20y='0'%20width='107.30001'%20height='140.79999'%20id='page2'%20margin='0'%20bleed='0'%20/%3e%3c/sodipodi:namedview%3e%3cstyle%20type='text/css'%20id='style1'%3e%20.st0{fill:%231F1FA3;}%20.st1{fill:url(%23SVGID_1_);}%20.st2{fill:url(%23SVGID_00000033333245342322421190000001486717665348835473_);}%20.st3{fill:url(%23SVGID_00000075852413222229328580000001131059578544388517_);}%20%3c/style%3e%3cg%20id='g9'%20transform='translate(-21.299999,-20.6)'%3e%3clinearGradient%20id='SVGID_1_'%20gradientUnits='userSpaceOnUse'%20x1='4.8695998'%20y1='142.78'%20x2='99.248901'%20y2='35.348301'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop4'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop5'%20/%3e%3c/linearGradient%3e%3crect%20x='21.299999'%20y='64'%20class='st1'%20width='19.9'%20height='97.400002'%20id='rect5'%20style='fill:url(%23SVGID_1_)'%20/%3e%3clinearGradient%20id='SVGID_00000007421653842672228110000012418760815982452352_'%20gradientUnits='userSpaceOnUse'%20x1='23.7796'%20y1='159.3925'%20x2='118.1588'%20y2='51.9608'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop6'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop7'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000007421653842672228110000012418760815982452352_)'%20d='M%2072.3,64%20H%2064%20v%2075.2%20H%2085.1%20V%2076.8%20C%2085.1,69.7%2079.4,64%2072.3,64%20Z'%20id='path7'%20/%3e%3clinearGradient%20id='SVGID_00000072986549029232277750000008760038133176911550_'%20gradientUnits='userSpaceOnUse'%20x1='20.501699'%20y1='156.51289'%20x2='114.881'%20y2='49.0812'%3e%3cstop%20offset='0'%20style='stop-color:%2347EFF0'%20id='stop8'%20/%3e%3cstop%20offset='1'%20style='stop-color:%23297BFF'%20id='stop9'%20/%3e%3c/linearGradient%3e%3cpath%20style='fill:url(%23SVGID_00000072986549029232277750000008760038133176911550_)'%20d='M%2073.6,20.6%20H%2064%20v%2019.9%20h%209.6%20c%2019.3,0%2035.1,15.7%2035.1,35.1%20v%2044.3%20h%2019.9%20V%2075.6%20c%200,-30.3%20-24.7,-55%20-55,-55%20z'%20id='path9'%20/%3e%3c/g%3e%3c/svg%3e)
Name
expat
Version
2.5.0
Type
library
Description
A stream-oriented XML parser library
Licenses
MIT
PURL
-
CPE
cpe:2.3:*:libexpat_project:libexpat:2.5.0:*:*:*:*:*:*:*
Other Versions#
Patches#
#
Title
Author
Resolve
1
lib: Make XML_ExternalEntityParserCreate copy unknown
Sebastian Pipping <sebastian@pipping.org>
CVE-2026-24515
2
lib: Fail the build if XML_GE is not set to 1 or 0
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
3
lib: Make XML_GE==0 use self-references as entity replacement
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
4
cmake: Introduce option EXPAT_GE to control macro XML_GE
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
5
Simplify "! defined(XML_DTD) && XML_GE == 0" to "XML_GE == 0"
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
6
Simplify "defined(XML_DTD) || XML_GE == 1" to "XML_GE == 1"
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
7
lib: Detect integer overflow in function nextScaffoldPart
Sebastian Pipping <sebastian@pipping.org>
CVE-2024-45492
8
lib: Detect integer overflow in dtdCopy
Sebastian Pipping <sebastian@pipping.org>
CVE-2024-45491
9
doc/reference.html: Document build time macro XML_GE
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
10
lib: Introduce an integer overflow check for tag buffer
Matthew Fernandez <matthew.fernandez@gmail.com>
CVE-2026-25210
11
doc: Document that XML_Parse/XML_ParseBuffer reject "len < 0"
Sebastian Pipping <sebastian@pipping.org>
CVE-2024-45490
12
configure.ac: Define macro XML_GE as 1
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
13
lib: Realign a size with the `REALLOC` type signature it is
Matthew Fernandez <matthew.fernandez@gmail.com>
CVE-2026-25210
14
lib: Make XML_StopParser refuse to stop/suspend an
Sebastian Pipping <sebastian@pipping.org>
CVE-2024-50602
15
lib: Add XML_GE to XML_GetFeatureList and XML_FeatureEnum
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
16
lib: Reject negative len for XML_ParseBuffer
Sebastian Pipping <sebastian@pipping.org>
CVE-2024-45490
17
lib: Make a doubling more readable
Matthew Fernandez <matthew.fernandez@gmail.com>
CVE-2026-25210
18
tests: Cover "len < 0" for both XML_Parse and XML_ParseBuffer
Sebastian Pipping <sebastian@pipping.org>
CVE-2024-45490
19
lib: Be explicit about XML_PARSING in XML_StopParser
Sebastian Pipping <sebastian@pipping.org>
CVE-2024-50602
20
minicheck: Add simple subtest support
Snild Dolkow <snild@sony.com>
CVE-2024-45490
21
lib|xmlwf|cmake: Extend scope of billion laughs attack
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
22
doc/reference.html: Clarify effect of XML_DTD on external
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
23
Drop redundant "XML_GE == 1" guards
Sebastian Pipping <sebastian@pipping.org>
CVE-2023-52426
24
lib/xmlparse.c: Detect billion laughs attack with isolated
Sebastian Pipping <sebastian@pipping.org>
CVE-2024-28757
Vulnerabilities#
Name
Analysis
Description
Exploitable
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
Exploitable
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
Exploitable
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
Exploitable
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
Exploitable
libexpat before 2.8.2 has an integer overflow in copyString.
Exploitable
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
Exploitable
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
Exploitable
libexpat before 2.8.2 has an integer overflow in getAttributeId.
Exploitable
libexpat before 2.8.2 has an integer overflow in addBinding.
Exploitable
libexpat before 2.8.2 has an integer overflow in storeAtts.
Exploitable
In libexpat before 2.8.2, there is a heap-based buffer overflow in doProlog in xmlparse.c because scaffold backing array reallocation is mishandled when there is data-structure sharing across parsers.
Exploitable
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_ResumeParser from within handlers in cases of a policy violation. Thus, a use-after-free can occur (similar to the CVE-2026-50219 situation).
Exploitable
libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,
Exploitable
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
Exploitable
libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
Exploitable
libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.
Exploitable
libexpat before 2.7.5 allows an infinite loop while parsing DTD content.
Exploitable
libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.
Patched
In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.
Patched
In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.
Exploitable
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
Exploitable
libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
Patched
An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
Patched
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Patched
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).
Patched
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.
Patched
libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
Patched
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
Exploitable
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.