vulnerability
Amazon Linux 2023: CVE-2022-25236: Critical priority package update for expat
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Feb 19, 2022 | Feb 17, 2025 | Jul 4, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Feb 19, 2022
Added
Feb 17, 2025
Modified
Jul 4, 2025
Description
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns[:prefix]" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML processor.
A flaw was found in expat. Passing one or more namespace separator characters in the "xmlns[:prefix]" attribute values made expat send malformed tag names to the XML processor on top of expat. This issue causes arbitrary code execution depending on how unexpected cases are handled inside the XML processor.
Solutions
amazon-linux-2023-upgrade-expatamazon-linux-2023-upgrade-expat-debuginfoamazon-linux-2023-upgrade-expat-debugsourceamazon-linux-2023-upgrade-expat-develamazon-linux-2023-upgrade-expat-static
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.