diff --git a/content/pages/xml-security.md b/content/pages/xml-security.md index 007ac0a..6c1d79a 100644 --- a/content/pages/xml-security.md +++ b/content/pages/xml-security.md @@ -30,5 +30,18 @@ expected. # Billion laughs attack -TODO +By recursively nesting entities, it is possible to have a relatively small XML input file that generates a +huge output after processing entities and/or takes a long time to process. In case of high memory +usage, an XML parser may crash if the out-of-memory situation is not handled gracefully. This is known as a +billion laughs attack. +Expat includes countermeasures against billion laugh attacks. By default, Expat stops processing inputs if +the output is more than 100 times larger than the input and larger than 8 MiB. + +The billion laughs attack in Expat, which affected versions before 2.4.0, is tracked as +[CVE-2013-0340](https://www.cve.org/CVERecord?id=CVE-2013-0340). + +Note that there are variations of the billion laughs attack and other denial of service issues in XML parsing. +Examples include [CVE-2025-59375](https://www.cve.org/CVERecord?id=CVE-2025-59375) (inputs can cause large +dynamic memory allocation, fixed in 2.7.2) and +[CVE-2024-8176](https://www.cve.org/CVERecord?id=CVE-2024-8176) (crash due to deep recursion, fixed in 2.7.0).