CVE-2022-25235 – CVE-2022-25235 is a critical vulnerability in E... (How to Fix)

Q: What is the severity of CVE-2022-25235?

CVE-2022-25235 has a CVSS score of 9.8 (CRITICAL). CVE-2022-25235 is a critical vulnerability in Expat (libexpat) XML parser where improper UTF-8 character validation allows attackers to bypass security checks. This affects any application using vulnerable Expat versions to parse untrusted XML data. Attackers could potentially execute arbitrary code or cause denial of service.

📋 TL;DR

CVE-2022-25235 is a critical vulnerability in Expat (libexpat) XML parser where improper UTF-8 character validation allows attackers to bypass security checks. This affects any application using vulnerable Expat versions to parse untrusted XML data. Attackers could potentially execute arbitrary code or cause denial of service.

💻 Affected Systems

Products:

Expat (libexpat)
Any software using vulnerable Expat library

Versions: All versions before 2.4.5

Operating Systems: Linux, Windows, macOS, BSD, Embedded systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when parsing XML with specially crafted UTF-8 sequences; many Linux distributions ship Expat by default

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Denial of service through application crashes or memory corruption, potentially leading to information disclosure

🟢

If Mitigated

Limited impact if XML parsing is restricted to trusted sources or input validation is implemented

🌐 Internet-Facing: HIGH - XML parsing is common in web services and APIs exposed to untrusted input

🏢 Internal Only: MEDIUM - Internal applications parsing XML from controlled sources have reduced risk

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept available in security advisories; exploitation requires sending malicious XML to vulnerable parser

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.5 and later

Vendor Advisory: https://github.com/libexpat/libexpat/pull/562

Restart Required: Yes

Instructions:

1. Update Expat to version 2.4.5 or later. 2. For Linux: Use package manager (apt-get update && apt-get install libexpat1). 3. For Windows: Download from official source. 4. Recompile applications if statically linked. 5. Restart affected services.

🔧 Temporary Workarounds

Input Validation

all

Implement strict XML input validation and sanitization before parsing

Network Segmentation

all

Restrict XML parsing services to internal networks only

🧯 If You Can't Patch

Implement WAF rules to block malicious XML patterns
Disable XML parsing for untrusted sources and use alternative data formats

🔍 How to Verify

Check if Vulnerable:

Check Expat version: expat --version or check installed package version

Check Version:

expat --version 2>/dev/null || strings /usr/lib*/libexpat.so* | grep -i 'expat_'

Verify Fix Applied:

Verify version is 2.4.5 or higher: dpkg -l | grep libexpat (Debian/Ubuntu) or rpm -qa | grep expat (RHEL/Fedora)

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory corruption errors in system logs
Unusual XML parsing errors

Network Indicators:

Malformed XML payloads in network traffic
Unexpected connections to XML parsing services

SIEM Query:

source="*xml*" AND (error="segmentation fault" OR error="memory corruption")

📊 Metadata

CVE ID: CVE-2022-25235

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-116

Published: February 16, 2022

Last Updated: May 5, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2022/02/19/1 Mailing List,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf Third Party Advisory
https://github.com/libexpat/libexpat/pull/562 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
https://security.gentoo.org/glsa/202209-24 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220303-0008/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5085 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/02/19/1 Mailing List,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf Third Party Advisory
https://github.com/libexpat/libexpat/pull/562 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
https://security.gentoo.org/glsa/202209-24 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220303-0008/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5085 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25235, you might also want to check these: