CVE-2003-1564

MEDIUM

Xmlsoft Libxml2 < 2.5.0 - XML Entity Expansion

Title source: rule

Description

libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."

References (6)

[Mailing List, Patch] http://mail.gnome.org/archives/xml/2008-August/msg00034.html

[Broken Link] http://secunia.com/advisories/31868

[Issue Tracking] http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2

[Broken Link] http://www.redhat.com/support/errata/RHSA-2008-0886.html

[Broken Link] http://www.stylusstudio.com/xmldev/200302/post20020.html

[Release Notes] http://xmlsoft.org/news.html

Scores

CVSS v3 6.5

EPSS 0.0065

EPSS Percentile 70.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Classification

CWE

CWE-776

Status draft

Affected Products (1)

xmlsoft/libxml2 < 2.5.0

Timeline

Published Dec 31, 2003

Tracked Since Feb 18, 2026