Libexpat Security Vulnerabilities
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are...
7.5CVSS
7.6AI Score
0.001EPSS
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile...
5.5CVSS
7.4AI Score
0.001EPSS
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory...
7.5CVSS
7.7AI Score
0.005EPSS
8.1CVSS
8.2AI Score
0.006EPSS
9.8CVSS
9.7AI Score
0.02EPSS
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD...
6.5CVSS
7.8AI Score
0.006EPSS
7.5CVSS
8.7AI Score
0.009EPSS
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace...
9.8CVSS
9.5AI Score
0.035EPSS
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain...
9.8CVSS
9.6AI Score
0.015EPSS
7.5CVSS
8.6AI Score
0.006EPSS
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero...
9.8CVSS
9.6AI Score
0.014EPSS
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer...
8.8CVSS
9.3AI Score
0.007EPSS
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer...
9.8CVSS
9.5AI Score
0.008EPSS
9.8CVSS
9.5AI Score
0.01EPSS
9.8CVSS
9.3AI Score
0.003EPSS
8.8CVSS
9.3AI Score
0.007EPSS
8.8CVSS
9.3AI Score
0.008EPSS
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for...
7.8CVSS
8.9AI Score
0.001EPSS
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing...
8.8CVSS
9.1AI Score
0.01EPSS
In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer...
7.5CVSS
8.2AI Score
0.005EPSS
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service...
7.5CVSS
7.5AI Score
0.609EPSS
The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat in Expat 2.2.1 and 2.2.2 on Windows allows local users to gain privileges via a Trojan horse ADVAPI32.DLL in the current working directory because of an untrusted search path, aka DLL...
7.8CVSS
7.6AI Score
0.0004EPSS
XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an external...
7.5CVSS
8.3AI Score
0.003EPSS
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283...
8.1CVSS
8.9AI Score
0.014EPSS
Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms via vectors involving use of the srand...
5.9CVSS
6.2AI Score
0.002EPSS
The XML parser in Expat does not use sufficient entropy for hash initialization, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted identifiers in an XML document. NOTE: this vulnerability exists because of an incomplete fix for...
7.5CVSS
6.7AI Score
0.007EPSS
Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer...
9.8CVSS
8.6AI Score
0.008EPSS
Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a...
8.3AI Score
0.032EPSS
expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a...
6.7AI Score
0.005EPSS
The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same...
6.4AI Score
0.004EPSS
Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding...
8AI Score
0.009EPSS
readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML...
7.9AI Score
0.002EPSS
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the...
6.2AI Score
0.013EPSS
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer...
6.2AI Score
0.032EPSS