CVE-2023-52426 Overview
CVE-2023-52426 is a recursive XML Entity Expansion vulnerability in libexpat, a widely-used XML parsing library. When XML_DTD is undefined at compile time, the library fails to properly protect against exponential entity expansion attacks, commonly known as "Billion Laughs" attacks. This allows attackers to craft malicious XML documents that can cause denial of service through resource exhaustion.
Critical Impact
Systems running libexpat versions through 2.5.0 compiled without XML_DTD are vulnerable to denial of service attacks through specially crafted XML documents that trigger recursive entity expansion, potentially exhausting system memory and CPU resources.
Affected Products
- libexpat versions through 2.5.0
- Applications using libexpat compiled without XML_DTD defined
- Systems where XML_GE is not enabled for general entity expansion protection
Discovery Timeline
- 2024-02-04 - CVE-2023-52426 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-52426
Vulnerability Analysis
The vulnerability exists in libexpat's handling of XML entity expansion when the library is compiled without the XML_DTD preprocessor definition. Under these specific compile-time conditions, the Billion Laughs attack protection mechanisms (introduced in Expat 2.4.0) are not activated, leaving the parser vulnerable to exponential entity expansion attacks.
The Billion Laughs attack works by defining nested XML entities that recursively reference each other, causing exponential growth in memory consumption when the XML document is parsed. Without proper protection, a small XML document (only a few kilobytes) can expand to consume gigabytes of memory, leading to denial of service.
The core issue is that the protection functions XML_SetBillionLaughsAttackProtectionMaximumAmplification() and XML_SetBillionLaughsAttackProtectionActivationThreshold() were only conditionally compiled when XML_DTD was defined, leaving a gap in protection for builds without DTD support.
Root Cause
The root cause is incomplete conditional compilation logic in libexpat's security mechanisms. The Billion Laughs attack protection was tied exclusively to the XML_DTD compile flag, but entity expansion can also occur through general entities (XML_GE) when DTD processing is disabled. This oversight meant that builds configured without DTD support lacked the exponential entity expansion protections, despite still being capable of processing entities that could trigger the attack.
Attack Vector
The attack vector requires local access where an attacker can supply a malicious XML document to an application using the vulnerable libexpat library. The attacker crafts an XML file containing deeply nested entity definitions that expand exponentially when parsed. Since this is a local attack vector requiring the attacker to provide input to the XML parser, exploitation typically occurs through:
- Uploading malicious XML files to applications that parse user-supplied XML
- Providing crafted XML through API endpoints that process XML input
- Including malicious XML in configuration files or data imports
The following patch extends the scope of Billion Laughs attack protection to cover builds where XML_GE is enabled:
XMLPARSEAPI(const XML_Feature *)
XML_GetFeatureList(void);
-#ifdef XML_DTD
-/* Added in Expat 2.4.0. */
+#if defined(XML_DTD) || XML_GE == 1
+/* Added in Expat 2.4.0 for XML_DTD defined and
+ * added in Expat 2.6.0 for XML_GE == 1. */
XMLPARSEAPI(XML_Bool)
XML_SetBillionLaughsAttackProtectionMaximumAmplification(
XML_Parser parser, float maximumAmplificationFactor);
-/* Added in Expat 2.4.0. */
+/* Added in Expat 2.4.0 for XML_DTD defined and
+ * added in Expat 2.6.0 for XML_GE == 1. */
XMLPARSEAPI(XML_Bool)
XML_SetBillionLaughsAttackProtectionActivationThreshold(
XML_Parser parser, unsigned long long activationThresholdBytes);
Source: GitHub Commit Reference
Detection Methods for CVE-2023-52426
Indicators of Compromise
- Abnormal memory consumption spikes in applications performing XML parsing operations
- Processes consuming excessive CPU time during XML document processing
- Application crashes or out-of-memory errors when handling XML input
- XML documents with deeply nested entity definitions in logs or incoming data
Detection Strategies
- Monitor system resource utilization for processes that handle XML parsing, looking for sudden memory or CPU spikes
- Implement XML input validation to detect and reject documents with excessive entity definitions before parsing
- Use application-level logging to track XML parsing duration and flag unusually long parse times
- Deploy file integrity monitoring on systems using libexpat to detect unauthorized library modifications
Monitoring Recommendations
- Set up alerts for memory consumption thresholds on services that process XML data
- Log and analyze incoming XML payloads for suspicious entity definition patterns
- Monitor libexpat version across your infrastructure to identify vulnerable installations
- Track parsing failures and timeouts as potential indicators of exploitation attempts
How to Mitigate CVE-2023-52426
Immediate Actions Required
- Upgrade libexpat to version 2.6.0 or later, which extends Billion Laughs protection to XML_GE builds
- Audit compile-time flags used when building libexpat to ensure XML_DTD or XML_GE protections are enabled
- Implement input size limits on XML documents accepted by your applications
- Review and restrict which services and applications accept XML input from untrusted sources
Patch Information
The vulnerability has been addressed in the libexpat project through commit 0f075ec8ecb5e43f8fdca5182f8cca4703da0404. The fix extends the conditional compilation of Billion Laughs attack protection to include builds where XML_GE == 1, ensuring protection is available regardless of whether XML_DTD is defined.
The patch modifies the CMake build configuration and header files to use the combined condition defined(XML_DTD) || XML_GE == 1 for enabling the protection APIs. This change is included in libexpat 2.6.0 and later versions. For detailed patch information, see the GitHub Pull Request and GitHub Commit Reference.
Additional security advisories have been published by NetApp and Fedora.
Workarounds
- Recompile libexpat with XML_DTD defined to enable existing Billion Laughs protection mechanisms
- Implement application-level XML parsing limits to cap entity expansion depth and total expansion size
- Use XML validation or pre-processing to strip or reject documents containing DTD declarations and entity definitions
- Deploy resource limits (cgroups, ulimits) on processes that handle XML parsing to contain potential DoS impact
# Configuration example
# Rebuild libexpat with DTD support to enable Billion Laughs protection
cmake -DEXPAT_DTD=ON -DEXPAT_GE=ON ..
make
make install
# Or set resource limits for XML processing services
# /etc/security/limits.conf
# xmlservice soft as 2097152 # 2GB memory limit
# xmlservice hard as 4194304 # 4GB hard limit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
