Skip to main content

Expat 2.5.0 released, includes security fixes

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.5.0 has been released earlier today. Most importantly, this release fixes CVE-2022-43680: a heap use-after-free vulnerability after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations, with expected impact of denial of service or potentially arbitrary code execution. There are non-security bugfixes and other improvements, too. For more details, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.5.0. Thank you!

Sebastian Pipping