Introduction
Applications and services that rely on XML parsing can experience severe resource exhaustion from a single small input, leading to denial of service or degraded performance. CVE-2025-59375 highlights a memory allocation flaw in libexpat, a core XML library used in countless open source and commercial products. This vulnerability is significant due to the widespread use of libexpat in software stacks and the ease with which attackers can exploit the issue through crafted XML documents.
libexpat is a widely adopted C library for stream-oriented XML parsing. It is embedded in operating systems, web servers, programming language runtimes, and application frameworks. Its reliability and permissive licensing have made it a foundational component in the software industry, with millions of deployments worldwide. Vulnerabilities in libexpat can have broad downstream effects, impacting a diverse range of products and services.
Technical Information
CVE-2025-59375 is caused by insufficient controls on dynamic memory allocation within libexpat when parsing XML documents. In affected versions (prior to 2.7.2), an attacker can submit a small, specially crafted XML document that causes the parser to allocate a much larger amount of memory than expected. This is due to the lack of proper checks or throttling on allocation requests in certain code paths. The vulnerability is classified as CWE-770: Allocation of Resources Without Limits or Throttling.
The root cause is documented in the libexpat GitHub repository and associated issues:
The vulnerability allows attackers to trigger large heap allocations by manipulating XML structures that the parser does not adequately constrain. This can result in denial of service as the process or system runs out of memory. The issue is fixed in libexpat version 2.7.2, which introduces stricter allocation checks and improved resource management.
Affected Systems and Versions (MUST BE SPECIFIC)
- libexpat versions prior to 2.7.2 are affected
- All configurations using vulnerable versions are at risk, especially when parsing untrusted XML input
- The vulnerability is present in both direct and indirect consumers of libexpat (including applications and frameworks that bundle or link against the library)
Vendor Security History
libexpat has experienced several resource management vulnerabilities in recent years:
- CVE-2024-8176: Stack overflow via recursive entity expansion (fixed in 2.7.0)
- CVE-2012-1148: Memory leak in poolGrow function
The project maintainers have responded to these issues with targeted patches and improvements to fuzzing and resource management. However, the recurrence of resource exhaustion vulnerabilities indicates ongoing architectural challenges. The maintainers have improved fuzzing coverage and resource checks in recent releases.