CVE-2003-1564
MEDIUMlibxml2 < 2.5.0 - Denial of Service via Recursive Entity Expansion
Title source: llmDescription
libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack."
References (6)
Core 6
Core References
Broken Link third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31868
Release Notes x_refsource_misc
http://xmlsoft.org/news.html
Broken Link mailing-list
x_refsource_mlist
http://www.stylusstudio.com/xmldev/200302/post20020.html
Issue Tracking x_refsource_misc
http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2
Mailing List, Patch mailing-list
x_refsource_mlist
http://mail.gnome.org/archives/xml/2008-August/msg00034.html
Broken Link vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2008-0886.html
Scores
CVSS v3
6.5
EPSS
0.0162
EPSS Percentile
72.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-776
Status
published
Products (1)
xmlsoft/libxml2
< 2.5.0
Published
Dec 31, 2003
Tracked Since
Feb 18, 2026