The 2MB Assassin: Inside the Unfixed libexpat DoS (CVE-2025-66382)
Vulnerability ID: CVE-2025-66382
CVSS Score: 6.2
Published: 2025-11-28
In the world of foundational software, few libraries are as load-bearing as libexpat. From Python to Apache, it parses the XML that powers the internet. CVE-2025-66382 exposes a nasty algorithmic complexity flaw in this ubiquitous library, where a specifically crafted 2MB file can lock up a CPU for nearly two minutes. As of early 2026, this vulnerability remains unfixed, leaving a massive surface area exposed to Denial of Service attacks.
TL;DR
A 2MB XML file can cause libexpat to consume 25-100 seconds of CPU time due to inefficient algorithmic complexity (O(n^2)). Affects all versions through 2.7.3. Currently unfixed.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-407 (Inefficient Algorithmic Complexity)
- Attack Vector: Local / Remote (Context Dependent)
- CVSS v3.1: 6.2 (Medium)
- Impact: Denial of Service (CPU Exhaustion)
- Trigger Size: ~2 MiB
- Exploit Status: Proof of Concept Exists (Private)
Affected Systems
- libexpat <= 2.7.3
- Python (xml.etree, xml.sax)
- PHP (xml extension)
- Apache HTTP Server (apr-util)
- Firefox
- LibreOffice
- Node.js (node-expat)
-
libexpat: <= 2.7.3 (Fixed in:
None (Anticipated in 2.7.4))
Exploit Details
- Manual Analysis: Private PoC held by researcher and maintainer
Mitigation Strategies
- Application-level timeouts for XML parsing
- Strict input size limits (e.g., < 1MB)
- Process isolation / Sandboxing
- Resource monitoring for CPU spikes
Remediation Steps:
- Identify all components using libexpat (Python, PHP, Apache, etc.).
- Configure WAF or Load Balancer to drop XML payloads > 1MB if feasible.
- Implement watchdog timers in application code to kill parsing threads taking > 5 seconds.
- Subscribe to the oss-security mailing list to watch for libexpat 2.7.4 release.
References
Read the full report for CVE-2025-66382 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)