CVE-2025-59375
BaseFortify
Publication date: 2025-09-15
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexpat_project | libexpat | to 2.7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in libexpat (before version 2.7.2) allows attackers to cause large dynamic memory allocations by submitting a small XML document for parsing. Specifically, it can trigger an out-of-memory condition during parsing, particularly with UTF-16BE encoded input, leading to potential denial of service due to resource exhaustion. [2]
How can this vulnerability impact me? :
The vulnerability can impact you by causing the Expat XML parser to consume excessive memory when processing crafted XML documents, potentially leading to application crashes or denial of service. This can disrupt services relying on XML parsing and affect system stability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusually large dynamic memory allocations triggered by parsing small XML documents with libexpat. The updated xmlwf tool (part of libexpat) now supports allocation tracking via command-line arguments (-a and -b) to help monitor memory usage during parsing. You can use xmlwf with these options to detect abnormal memory allocation behavior. Specific commands include: `xmlwf -a <allocation_limit> -b <block_limit> <file.xml>`. Additionally, fuzz testing with UTF-16BE encoded inputs similar to those used in OSS-Fuzz can help identify the issue. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading libexpat to version 2.7.2 or later, where the fix for this vulnerability is implemented. If upgrading is not immediately possible, consider using the updated xmlwf tool with allocation tracking enabled to limit and monitor dynamic memory usage during XML parsing. Avoid processing untrusted or malformed UTF-16BE encoded XML inputs until the patch is applied. Monitoring and limiting memory allocations can help prevent out-of-memory conditions caused by this vulnerability. [1, 2]