Login Sign Up

CVE-2023-52425

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in libexpat allows attackers to cause denial of service through resource consumption by sending specially crafted XML with large tokens that require multiple buffer fills, forcing repeated full reparsing. It affects any application using vulnerable versions of libexpat for XML parsing. The impact is primarily availability degradation rather than data compromise.

💻 Affected Systems

Products:
  • libexpat
  • Any software using libexpat for XML parsing
Versions: libexpat versions through 2.5.0
Operating Systems: Linux, Unix-like systems, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all configurations using vulnerable libexpat versions for XML parsing. Many Linux distributions and applications bundle libexpat.

📦 What is this software?

Libexpat by Libexpat Project

View all CVEs affecting Libexpat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU/memory exhaustion, potentially affecting all XML processing functionality in affected applications.

🟠

Likely Case

Degraded performance and intermittent service disruptions when processing malicious XML inputs, leading to partial denial of service.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and resource monitoring in place.

🌐 Internet-Facing: MEDIUM - XML parsing is common in web services and APIs, but exploitation requires sending malicious XML payloads.
🏢 Internal Only: LOW - Internal systems typically process trusted XML, though risk exists if processing untrusted internal data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malicious XML to vulnerable parsers. No authentication needed if XML input is accepted from untrusted sources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libexpat 2.6.0 and later

Vendor Advisory: https://github.com/libexpat/libexpat/pull/789

Restart Required: Yes

Instructions:

1. Update libexpat to version 2.6.0 or later. 2. For Linux distributions, use package manager: 'sudo apt update && sudo apt upgrade libexpat1' (Debian/Ubuntu) or 'sudo yum update expat' (RHEL/CentOS). 3. Restart affected services using libexpat. 4. Recompile applications statically linked to libexpat.

🔧 Temporary Workarounds

Input validation and size limits

all

Implement XML input validation and size restrictions to prevent large token attacks

# Configure web server/application to limit XML payload size
# Example for nginx: client_max_body_size 1M;
# Example for Apache: LimitRequestBody 1048576

Resource monitoring and throttling

linux

Monitor CPU/memory usage and implement throttling for XML processing

# Use system monitoring tools
# ulimit -v 1000000 # Limit virtual memory
# Implement rate limiting in application code

🧯 If You Can't Patch

  • Implement strict XML input validation and reject malformed or suspicious XML
  • Deploy network-level protections like WAF with XML parsing protection rules

🔍 How to Verify

Check if Vulnerable:

Check libexpat version: 'expat --version' or 'strings /usr/lib/libexpat.so.* | grep -i expat'

Check Version:

expat --version 2>&1 | head -1

Verify Fix Applied:

Verify version is 2.6.0 or later: 'expat --version' should show 2.6.0+

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes during XML processing
  • Memory exhaustion errors
  • XML parsing timeouts or failures

Network Indicators:

  • Large XML payloads to XML parsing endpoints
  • Repeated XML requests causing performance degradation

SIEM Query:

source="application_logs" AND ("XML parse error" OR "memory exhaustion" OR "CPU spike") AND process="*expat*"

📊 Metadata

CVE ID: CVE-2023-52425
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: February 4, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52425, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)