For readers new to Expat:

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.7.3 was released earlier today. The key motivation for cutting a release and doing so now is the two regressions fixed with earlier security fixes:

• The original fix for vulnerability CVE-2024-8176 in Expat 2.7.0 turned out to cause false reports as well-formed for some malformed documents that should have been rejected with error XML_ERROR_ASYNC_ENTITY.

• The original fix for vulnerability CVE-2025-59375 in Expat 2.7.2 turned out to have portability issues with regard to some non-amd64 architectures (e.g. sparc32).

While neither of these fixes is known to have a security impact, they should be of particular interest to distributors who backported one or more of the original fixes.

The rest of the release consists of a mix of minor improvements and fixes, particularly in documentation and infrastructure.

Thanks to everyone who contributed to this release of Expat!

For more details about this release, please check out the change log.

If you maintain Expat packaging, a bundled copy of Expat, or a pinned version of Expat, please update to version 2.7.3. Thank you!

Sebastian Pipping