Vulnerabilities > Libexpat Project > Libexpat > 2.2.10

DATE CVE VULNERABILITY TITLE RISK
2024-02-04 CVE-2023-52425 Resource Exhaustion vulnerability in Libexpat Project Libexpat
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
network
low complexity
libexpat-project CWE-400
7.5
2024-02-04 CVE-2023-52426 XML Entity Expansion vulnerability in Libexpat Project Libexpat
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.
local
low complexity
libexpat-project CWE-776
5.5
2022-10-24 CVE-2022-43680 Use After Free vulnerability in multiple products
In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.
7.5
2022-09-14 CVE-2022-40674 Use After Free vulnerability in multiple products
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
network
high complexity
libexpat-project debian fedoraproject CWE-416
8.1
2022-02-18 CVE-2022-25313 Uncontrolled Recursion vulnerability in multiple products
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
6.5
2022-02-18 CVE-2022-25314 Integer Overflow or Wraparound vulnerability in multiple products
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
7.5
2022-02-18 CVE-2022-25315 Integer Overflow or Wraparound vulnerability in multiple products
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
network
low complexity
libexpat-project debian fedoraproject oracle siemens CWE-190
critical
9.8
2022-02-16 CVE-2022-25235 Improper Encoding or Escaping of Output vulnerability in multiple products
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.
network
low complexity
libexpat-project debian fedoraproject oracle siemens CWE-116
critical
9.8
2022-02-16 CVE-2022-25236 Exposure of Resource to Wrong Sphere vulnerability in multiple products
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
network
low complexity
libexpat-project debian oracle siemens CWE-668
critical
9.8
2022-01-26 CVE-2022-23990 Integer Overflow or Wraparound vulnerability in multiple products
Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.
7.5