Expat XML Parser Patches Critical, Long-Standing Vulnerability: A Decade-Long Battle
2025-03-13
After two and a half years of effort, a critical vulnerability (CVE-2024-8176) in the Expat XML parser has finally been patched. The vulnerability, stemming from recursive calls potentially leading to stack overflows and denial-of-service attacks, was addressed in version 2.7.0. Maintainer Sebastian Pipping, after reaching out to numerous companies for assistance, collaborated with Siemens and others for ten months to resolve three variants of the issue. The release also includes other improvements, such as a new fuzzer and 64-bit Windows binaries. This story serves as a reminder of the hidden security risks even in seemingly simple programming techniques, and the importance of open-source community collaboration.