@@ -68,6 +68,7 @@ quadratic blowup **Vulnerable** (1) **Vulnerable** (1) **Vulnerable*
6868external entity expansion Safe (5) Safe (2) Safe (3) Safe (5) Safe (4)
6969`DTD `_ retrieval Safe (5) Safe Safe Safe (5) Safe
7070decompression bomb Safe Safe Safe Safe **Vulnerable **
71+ large tokens **Vulnerable ** (6) **Vulnerable ** (6) **Vulnerable ** (6) **Vulnerable ** (6) **Vulnerable ** (6)
7172========================= ================== ================== ================== ================== ==================
7273
73741. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and
@@ -81,6 +82,11 @@ decompression bomb Safe Safe Safe
81824. :mod: `xmlrpclib ` doesn't expand external entities and omits them.
82835. Since Python 3.7.1, external general entities are no longer processed by
8384 default.
85+ 6. Expat 2.6.0 and newer is not vulnerable to denial of service
86+ through quadratic runtime caused by parsing large tokens.
87+ Items still listed as vulnerable due to
88+ potential reliance on system-provided libraries. Check
89+ :const: `!pyexpat.EXPAT_VERSION `.
8490
8591
8692billion laughs / exponential entity expansion
@@ -114,6 +120,13 @@ decompression bomb
114120 files. For an attacker it can reduce the amount of transmitted data by three
115121 magnitudes or more.
116122
123+ large tokens
124+ Expat needs to re-parse unfinished tokens; without the protection
125+ introduced in Expat 2.6.0, this can lead to quadratic runtime that can
126+ be used to cause denial of service in the application parsing XML.
127+ The issue is known as
128+ `CVE-2023-52425 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425 >`_.
129+
117130The documentation for `defusedxml `_ on PyPI has further information about
118131all known attack vectors with examples and references.
119132
0 commit comments