CVE-2025-66382
2.9 LOWIn libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time
Published: 2025-11-28 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 2.9 LOW
- Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE
- CWE-407
Affected products
| Vendor | Product |
|---|---|
| libexpat_project | libexpat |
Description
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-66382
- [Other]https://github.com/libexpat/libexpat/issues/1076
- [Other]http://www.openwall.com/lists/oss-security/2025/12/02/1
- [Other]https://cert-portal.siemens.com/productcert/html/ssa-082556.html
- [Other]https://cert-portal.siemens.com/productcert/html/ssa-253495.html
Related CVEs
Same vendor
- CVE-2026-50219 — libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_Pa... (4.9 MEDIUM)
- CVE-2026-25210 — In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow... (6.9 MEDIUM)
- CVE-2026-24515 — In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data (2.9 LOW)
Same CWE
- CVE-2026-45664 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.3 MEDIUM)
- CVE-2026-41850 — Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service... (7.5 HIGH)
- CVE-2026-11312 — A vulnerability was found in bytedance InfiniStore up to 0.2.33 (3.3 LOW)
- CVE-2026-8889 — Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist ... (7.5 HIGH)
- CVE-2026-3276 — unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining cha...