CVE-2022-25313

medium

Published 2022-07-01 · Modified 2022-07-21

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.5

Description

Moderate: expat security update

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description expat: Stack exhaustion in doctype parsing Red Hat statement This flaw affects applications that leverage expat to parse untrusted XML files. Applications which only parse trusted XML files or do not process XML files at all are not affected by this flaw. CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat…

Description

expat: Stack exhaustion in doctype parsing

Red Hat statement

This flaw affects applications that leverage expat to parse untrusted XML files. Applications which only parse trusted XML files or do not process XML files at all are not affected by this flaw.

CVSS v3: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 8	`mingw-expat-0:2.4.8-1.el8`	RHSA-2022:7811	2022-11-08T00:00:00Z
Red Hat Enterprise Linux 8	`expat-0:2.2.5-8.el8_6.2`	RHSA-2022:5314	2022-06-30T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support	`expat-0:2.2.10-1.el8_2`	RHSA-2025:22871	2025-12-09T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	`expat-0:2.2.10-1.el8_4`	RHSA-2025:22785	2025-12-04T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On	`expat-0:2.2.10-1.el8_4`	RHSA-2025:22785	2025-12-04T00:00:00Z
Red Hat Enterprise Linux 9	`expat-0:2.2.10-12.el9_0.2`	RHSA-2022:5244	2022-07-01T00:00:00Z
Red Hat Enterprise Linux 9	`expat-0:2.2.10-12.el9_0.2`	RHSA-2022:5244	2022-07-01T00:00:00Z
Text-Only JBCS	`expat`	RHSA-2022:7144	2022-10-26T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 6	`expat`	Out of support scope
Red Hat Enterprise Linux 7	`expat`	Out of support scope
Red Hat Enterprise Linux 7	`firefox`	Out of support scope
Red Hat Enterprise Linux 7	`thunderbird`	Out of support scope
Red Hat Enterprise Linux 8	`firefox`	Will not fix
Red Hat Enterprise Linux 8	`firefox:flatpak/firefox`	Will not fix
Red Hat Enterprise Linux 8	`thunderbird`	Will not fix
Red Hat Enterprise Linux 8	`thunderbird:flatpak/thunderbird`	Will not fix
Red Hat Enterprise Linux 8	`xmlrpc-c`	Not affected
Red Hat Enterprise Linux 9	`firefox`	Affected
Red Hat Enterprise Linux 9	`thunderbird`	Affected
Red Hat Enterprise Linux 9	`xmlrpc-c`	Not affected

Apply commands

bash fix

Apply RHSA-2022:7811 for Red Hat Enterprise Linux 8

yum update -y mingw-expat
# or:
dnf upgrade -y mingw-expat

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 8	`Not affected`
redhat	Red Hat Enterprise Linux 9	`Affected`
redhat	Red Hat Enterprise Linux 9	`Affected`
redhat	Red Hat Enterprise Linux 9	`Not affected`

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

AlmaLinux Fixed 1 release

Version	Status	Fixed in
9	Fixed	`expat-2.2.10-12.el9_0.2.aarch64.rpm`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`2.4.5-1`
sid	Fixed	`2.4.5-1`
forky	Fixed	`2.4.5-1`
bullseye	Fixed	`2.2.10-2+deb11u2`
bookworm	Fixed	`2.4.5-1`

Red Hat Fixed 2 releases

Version	Status	Fixed in
9	Fixed	—
8	Fixed	—

Rocky Linux Fixed 1 release

Version	Status	Fixed in
8	Fixed	—

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.