For readers new to Expat:

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.7.2 was released earlier today. The key motivation for cutting a release and doing so now is the fix for vulnerability CVE-2025-59375, which ClusterFuzz/OSS-Fuzz uncovered through their automated, continuous fuzzing: A file of ~250 KiB size was able to make unfixed Expat allocate ~800 MiB of dynamic memory — an "amplification" of factor ~3,300 — that an attacker could leverage to cause remote denial of service.

The rest of the release is the usual mix of improvements and fixes to the two build systems, documentation, infrastructure, as well as addressing warnings from compilers and static analysis tools.

Thanks to everyone who contributed to this release of Expat!

For more details about this release, please check out the change log.

If you maintain Expat packaging, a bundled copy of Expat, or a pinned version of Expat, please update to version 2.7.2. Thank you!

Sebastian Pipping