@@ -68,6 +68,7 @@ quadratic blowup **Vulnerable** (1) **Vulnerable** (1) **Vulnerable*
|
68 | 68 | external entity expansion Safe (5) Safe (2) Safe (3) Safe (5) Safe (4) |
69 | 69 | `DTD`_ retrieval Safe (5) Safe Safe Safe (5) Safe |
70 | 70 | decompression bomb Safe Safe Safe Safe **Vulnerable** |
| 71 | +large tokens **Vulnerable** (6) **Vulnerable** (6) **Vulnerable** (6) **Vulnerable** (6) **Vulnerable** (6) |
71 | 72 | ========================= ================== ================== ================== ================== ================== |
72 | 73 | |
73 | 74 | 1. Expat 2.4.1 and newer is not vulnerable to the "billion laughs" and |
@@ -81,6 +82,11 @@ decompression bomb Safe Safe Safe
|
81 | 82 | 4. :mod:`xmlrpc.client` doesn't expand external entities and omits them. |
82 | 83 | 5. Since Python 3.7.1, external general entities are no longer processed by |
83 | 84 | default. |
| 85 | +6. Expat 2.6.0 and newer is not vulnerable to denial of service |
| 86 | + through quadratic runtime caused by parsing large tokens. |
| 87 | + Items still listed as vulnerable due to |
| 88 | + potential reliance on system-provided libraries. Check |
| 89 | +:const:`!pyexpat.EXPAT_VERSION`. |
84 | 90 | |
85 | 91 | |
86 | 92 | billion laughs / exponential entity expansion |
@@ -114,6 +120,13 @@ decompression bomb
|
114 | 120 | files. For an attacker it can reduce the amount of transmitted data by three |
115 | 121 | magnitudes or more. |
116 | 122 | |
| 123 | +large tokens |
| 124 | + Expat needs to re-parse unfinished tokens; without the protection |
| 125 | + introduced in Expat 2.6.0, this can lead to quadratic runtime that can |
| 126 | + be used to cause denial of service in the application parsing XML. |
| 127 | + The issue is known as |
| 128 | + `CVE-2023-52425 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-52425>`_. |
| 129 | + |
117 | 130 | The documentation for `defusedxml`_ on PyPI has further information about |
118 | 131 | all known attack vectors with examples and references. |
119 | 132 | |
|