CVE-2024-28757 in libexpatinfo

Summary

by MITRE • 03/10/2024

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/26/2026

The vulnerability identified as CVE-2024-28757 affects the libexpat XML parsing library version 2.6.1 and earlier, presenting a significant security risk through XML Entity Expansion attacks. This flaw specifically manifests when external parsers are used in isolated contexts, creating a pathway for malicious actors to exploit the library's handling of XML entities. The vulnerability stems from the library's insufficient validation mechanisms when processing external entity references, allowing attackers to craft XML documents that trigger excessive resource consumption through recursive entity expansion.

The technical flaw resides in the library's XML_ExternalEntityParserCreate function which enables the creation of external parsers without adequate safeguards against entity expansion attacks. When an external parser is instantiated, the library fails to properly enforce limits on entity expansion depth and size, enabling attackers to construct XML documents containing recursive entity references that can exponentially increase processing time and memory consumption. This vulnerability directly maps to CWE-400, which addresses unchecked resource consumption, and specifically relates to CWE-770, concerning allocation of resources without limits or sufficient checks. The attack vector leverages the principle of exponential entity expansion where each entity reference can potentially reference another entity, creating a cascade that consumes system resources rapidly.

The operational impact of this vulnerability is substantial across multiple domains including web applications, API gateways, and backend systems that process XML data from untrusted sources. Attackers can exploit this weakness to perform denial-of-service attacks that consume excessive CPU cycles and memory resources, potentially causing system crashes or making services unavailable to legitimate users. In high-traffic environments, this vulnerability can be leveraged to create resource exhaustion conditions that affect system stability and availability. The attack requires minimal privileges and can be executed through standard XML processing workflows, making it particularly dangerous in production environments where XML parsing is common. The vulnerability also aligns with ATT&CK technique T1499.004, which covers resource exhaustion attacks, and represents a classic example of how XML parsing libraries can become attack vectors for system disruption.

Organizations should immediately upgrade to libexpat version 2.6.2 or later, which contains the necessary patches to address the entity expansion limitations. System administrators should implement input validation measures that restrict XML entity expansion in all applications using the library, including setting maximum entity expansion limits and disabling external entity resolution where possible. Network security controls such as web application firewalls should be configured to monitor and block suspicious XML processing patterns. Additionally, developers should conduct thorough code reviews to ensure proper XML parsing practices are implemented and consider implementing rate limiting and resource monitoring for XML processing components. The vulnerability demonstrates the critical importance of proper resource management in XML parsers and the need for comprehensive security testing of parsing libraries in security-sensitive applications.

Reservation

03/10/2024

Disclosure

03/10/2024

Moderation

accepted

CPE

ready

EPSS

0.02006

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!