Description
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
Published: 2025-11-28
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Assess Impact
AI Analysis

Impact

The library creates a denial‑of‑service condition when processing a file that is roughly 2 MiB in size, causing the parser to consume dozens of seconds of CPU time. The weakness is classified as CWE‑407. Based on the description, it is inferred that attackers can trigger this cost‑heavy parsing by submitting a specifically‑crafted document to any process that loads libexpat for XML processing.

Affected Systems

The issue affects libexpat in all releases through 2.7.3 distributed by the libexpat project. Systems that use this library – for example application servers, command‑line tools, and embedded controllers – are vulnerable if they compile or link against these versions. No later versions are affected, and the problem is resolved in the 2.7.4 release.

Risk and Exploitability

The CVSS score of 2.9 reflects a low overall severity, and the EPSS score of less than 1% indicates a very small probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, further suggesting limited current exploitation. The remediation path requires an attacker to provide the offending file to the parsing component, so this attack is most feasible in a local or remote context where an application accepts untrusted input. A well‑timed large input can disrupt service availability, but it does not allow code execution or data exfiltration.

Generated by OpenCVE AI on April 20, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify all installations of libexpat ≤ 2.7.3 and note the associated application components.
  • Apply the official patch by upgrading to libexpat ≥ 2.7.4 or any newer release where the issue is resolved.
  • Implement file-size validation or payload limits before invoking the XML parser to reject files approaching 2 MiB.
  • Configure application or system resource limits and timeouts around XML parsing operations to avoid long processing times.

Generated by OpenCVE AI on April 20, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 03:30:00 +0000

Type Values Removed Values Added
References

Fri, 28 Nov 2025 12:15:00 +0000

Type Values Removed Values Added
Title libexpat: libexpat: Denial of service via crafted file processing
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 28 Nov 2025 06:30:00 +0000

Type Values Removed Values Added
Description In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
First Time appeared Libexpat Project
Libexpat Project libexpat
Weaknesses CWE-407
CPEs cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*
Vendors & Products Libexpat Project
Libexpat Project libexpat
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Libexpat Project Libexpat
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-09T18:00:09.546Z

Reserved: 2025-11-28T00:00:00.000Z

Link: CVE-2025-66382

cve-icon Vulnrichment

Updated: 2025-12-02T02:34:18.532Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-28T07:15:57.900

Modified: 2025-12-19T16:05:03.557

Link: CVE-2025-66382

cve-icon Redhat

Severity : Low

Publid Date: 2025-11-28T00:00:00Z

Links: CVE-2025-66382 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses