PT-2024-2082 · Libexpat+11 · Libexpat+11

Carnil

·

Published

2024-03-09

·

Updated

2026-06-05

·

CVE-2024-28757

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions libexpat versions 2.6.1 and earlier libexpat through 2.6.1
Description The issue is related to the improper handling of XML external entity (XXE) declarations by the XML ExternalEntityParserCreate function, allowing an XML Entity Expansion attack. This can be exploited by a remote attacker to obtain sensitive information or cause a denial of service by sending specially crafted XML content. The estimated number of potentially affected devices is not specified.
Recommendations For libexpat versions 2.6.1 and earlier, update to version 2.6.2 or later to resolve the issue. As a temporary workaround, consider disabling the use of external parsers created via XML ExternalEntityParserCreate until a patch is available. Restrict access to sensitive information and minimize the risk of exploitation by limiting the use of libexpat in sensitive environments.

Fix

DoS

RCE

XML Entity Expansion

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-776CWE-611

Related Identifiers

ALSA-2024:1530
AZL-35841
AZL-35880
BDU:2024-01976
CLEANSTART-2026-EM10970
CLEANSTART-2026-MH09144
CLEANSTART-2026-YT18139
CVE-2024-28757
ECHO-A55F-EDC3-4BAE
MGASA-2024-0072
OESA-2024-1379
OPENSUSE-SU-2024:13779-1
OPENSUSE-SU-2024_1129-1
RHSA-2024:1530
RHSA-2024:3926
RHSA-2024_1530
ROSA-SA-2025-2604
SUSE-SU-2024:1129-1
SUSE-SU-2024:1129-2
SUSE-SU-2025:20045-1
SUSE-SU-2025:20207-1
SUSE-SU-2025:20311-1
USN-6694-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Ibm Aix
Linuxmint
Red Hat
Red Os
Suse
Ubuntu
Libexpat