{
  "threat_severity" : "Moderate",
  "public_date" : "2024-02-04T00:00:00Z",
  "bugzilla" : {
    "description" : "expat: parsing large tokens can trigger a denial of service",
    "id" : "2262877",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2262877"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.", "A flaw was found in Expat (libexpat). When parsing a large token that requires multiple buffer fills to complete, Expat has to re-parse the token from start numerous times. This process may trigger excessive resource consumption, leading to a denial of service." ],
  "statement" : "The identified flaw in Expat presents a moderate severity issue due to its potential to facilitate resource exhaustion attacks, particularly in scenarios involving parsing large tokens requiring multiple buffer fills. As Expat repeatedly re-parses such tokens from the beginning, it results in disproportionate resource consumption, leading to a denial-of-service (DoS) condition. While the impact is significant, the exploitation requires specific conditions, such as parsing large tokens, which may not always align with typical usage patterns.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-04-02T00:00:00Z",
    "advisory" : "RHSA-2024:1615",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "expat-0:2.2.5-11.el8_9.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-07-02T00:00:00Z",
    "advisory" : "RHSA-2024:4259",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "xmlrpc-c-0:1.51.0-9.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22871",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "expat-0:2.2.10-1.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-12-04T00:00:00Z",
    "advisory" : "RHSA-2025:22785",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "expat-0:2.2.10-1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-12-04T00:00:00Z",
    "advisory" : "RHSA-2025:22785",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "expat-0:2.2.10-1.el8_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2024-05-14T00:00:00Z",
    "advisory" : "RHSA-2024:2839",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.6",
    "package" : "expat-0:2.2.5-8.el8_6.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2575",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "expat-0:2.2.5-11.el8_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-03-26T00:00:00Z",
    "advisory" : "RHSA-2024:1530",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "expat-0:2.5.0-1.el9_3.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-03-26T00:00:00Z",
    "advisory" : "RHSA-2024:1530",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "expat-0:2.5.0-1.el9_3.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-11-25T00:00:00Z",
    "advisory" : "RHSA-2025:22035",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "expat-0:2.2.10-12.el9_0.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-06-13T00:00:00Z",
    "advisory" : "RHSA-2024:3926",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "expat-0:2.5.0-1.el9_2.1"
  }, {
    "product_name" : "Red Hat JBoss Core Services 2.4.62",
    "release_date" : "2025-04-02T00:00:00Z",
    "advisory" : "RHSA-2025:3453",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "expat"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "expat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "expat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "firefox:flatpak/firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "thunderbird:flatpak/thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "firefox:flatpak/firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "thunderbird:flatpak/thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-52425\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52425" ],
  "name" : "CVE-2023-52425",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}