CVE-2024-28757 Overview
CVE-2024-28757 is a denial of service vulnerability in libexpat, a widely-used XML parsing library, through version 2.6.1. The vulnerability allows attackers to perform an XML Entity Expansion attack (also known as "Billion Laughs" attack) when applications make isolated use of external parsers created via the XML_ExternalEntityParserCreate function. This can lead to excessive memory consumption and CPU exhaustion, effectively causing a denial of service condition.
Critical Impact
Remote attackers can exploit this vulnerability to cause denial of service through resource exhaustion without requiring authentication or user interaction.
Affected Products
- libexpat_project libexpat (through version 2.6.1)
- Fedora 38, 39, and 40
- NetApp Active IQ Unified Manager
- NetApp OnCommand Workflow Automation
- NetApp ONTAP and ONTAP Tools
- NetApp Windows Host Utilities
- NetApp H-Series Hardware (H300s, H500s, H700s, H410s, H410c, H610c, H610s) and firmware
Discovery Timeline
- 2024-03-10 - CVE-2024-28757 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-28757
Vulnerability Analysis
This vulnerability is classified as CWE-776 (Improper Restriction of Recursive Entity References in DTDs), commonly associated with XML Entity Expansion attacks. The flaw exists in how libexpat handles external entity parsing when applications use the XML_ExternalEntityParserCreate function in isolation.
When processing maliciously crafted XML documents, the parser fails to properly restrict recursive entity references. An attacker can construct XML documents with nested entity definitions that expand exponentially when parsed, leading to resource exhaustion. This attack pattern requires no authentication and can be triggered remotely over the network whenever an application parses untrusted XML input using vulnerable versions of libexpat.
The impact is limited to availability rather than confidentiality or integrity, as the vulnerability results in denial of service through memory and CPU exhaustion rather than information disclosure or code execution.
Root Cause
The root cause lies in improper restriction of recursive entity references when external parsers are created via XML_ExternalEntityParserCreate. The library does not adequately limit the expansion of nested XML entities in this specific parsing context, allowing exponential growth of parsed content from relatively small XML input. This is a classic Billion Laughs attack vector where each entity reference expands to multiple copies of another entity, creating an exponential explosion in memory usage.
Attack Vector
The attack vector is network-based, requiring an attacker to submit a specially crafted XML document to an application that uses libexpat for parsing. The attack characteristics include:
- Network Accessible: Attackers can exploit this remotely without local access
- Low Complexity: No special conditions or prerequisites required
- No Privileges Required: Authentication is not needed to trigger the vulnerability
- No User Interaction: Exploitation does not require victim interaction
An attacker would craft an XML document containing deeply nested entity definitions that reference each other recursively. When the target application parses this document using an external parser created via XML_ExternalEntityParserCreate, the entity expansion consumes excessive system resources.
The vulnerability mechanism involves crafting XML with recursive entity references. When the parser encounters these nested entities created via XML_ExternalEntityParserCreate, each entity expands to multiple copies of another entity, causing exponential memory growth. Technical details are available in the GitHub Issue #839.
Detection Methods for CVE-2024-28757
Indicators of Compromise
- Abnormally high memory consumption by processes using libexpat for XML parsing
- CPU spikes correlated with XML processing operations
- Application crashes or unresponsive services following XML document submission
- Large XML documents with excessive entity declarations in application logs
Detection Strategies
- Monitor system resource utilization for processes handling XML parsing operations
- Implement application-level logging to track XML parsing duration and resource consumption
- Deploy network-based detection rules to identify XML documents with excessive entity declarations
- Use software composition analysis (SCA) tools to identify applications using vulnerable libexpat versions
Monitoring Recommendations
- Configure alerts for memory exhaustion events in systems running XML processing applications
- Establish baseline resource utilization metrics for XML parsing services to detect anomalies
- Monitor application logs for XML parsing errors or timeout events
- Track libexpat version deployments across infrastructure using asset inventory tools
How to Mitigate CVE-2024-28757
Immediate Actions Required
- Upgrade libexpat to version 2.6.2 or later, which contains the fix for this vulnerability
- Audit applications and systems to identify all instances of libexpat usage
- Apply vendor-specific patches for affected NetApp and Fedora products
- Consider implementing input validation to limit XML document size and entity depth
Patch Information
The fix for CVE-2024-28757 is available in the libexpat repository. The patch addresses the recursive entity expansion issue in external parser handling. Organizations should apply updates from their respective vendors:
- libexpat: Update to version 2.6.2 or later via GitHub Pull Request #842
- Fedora: Apply updates via the Fedora package announcements
- NetApp: Refer to NetApp Security Advisory ntap-20240322-0001
Workarounds
- Implement XML entity expansion limits at the application level where possible
- Configure web application firewalls to detect and block XML documents with excessive entity declarations
- Disable external entity processing if not required by the application
- Consider using alternative XML parsing configurations that do not rely on XML_ExternalEntityParserCreate
# Verify libexpat version on Linux systems
expat-config --version
# or
pkg-config --modversion expat
# Check for affected packages on Fedora
rpm -qa | grep expat
# Update libexpat on Fedora
sudo dnf update expat
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
