Stack Exhaustion Vulnerability in Expat Library by libexpat
CVE-2022-25313

6.5MEDIUM

Key Information:

Vendor

Libexpat Project

Status
Libexpat
Vendor
CVE Published:
18 February 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2022-25313?

In the Expat library, prior to version 2.4.5, a vulnerability exists that allows an attacker to induce stack exhaustion by leveraging a high nesting depth within DTD elements. This can lead to application instability and potential denial of service, as the excessive depth causes the stack to overflow. Users of the affected versions are strongly recommended to update to the patched version to mitigate this risk.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

external_expact_AOSP10_r33_CVE-2022-25313
Created by ShaikUsaf

external_expat-2.1.0_CVE-2022-25313
Created by Trinadh465

References

https://github.com/libexpat/libexpat/pull/558
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/02/19/1
mailing-listx_refsource_MLIST
https://www.debian.org/security/2022/dsa-5085
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.