XML.com

Expat 2.7.0 released, includes security fixes

March 14, 2025

Submitted by Sebastian Pipping.

For readers new to Expat:

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.7.0 has been released earlier today. The key motivation for cutting a release now is to get the fix to a long-standing vulnerability — CVE-2024-8176 — out to users. There are also fixes to the two official build systems as usual, as well as improvements to the documentation.

There is a new fuzzer xml_lpm_fuzzer that OSS-Fuzz has already started to include with their daily continuous fuzzing.

Another interesting sideshow of this release is the (harmless) TOCTTOU issue that was uncovered by static analysis in a benchmarking helper tool shipped next to core libexpat.

One other thing that is new in this release is that Windows binaries are now built by GitHub Actions and not just 32bit but also 64bit.

There is a more detailed version of this article that includes the story behind the vulnerability CVE-2024-8176 at blog.hartwork.org if you're curios.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.7.0. Thank you!

Sebastian Pipping


News items may be commercial in nature and are published as received.