VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-77y6-jskt-qucb

Essentials
Severities (25)
References (62)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-77y6-jskt-qucb
Aliases	CVE-2025-59375
Summary	libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-770

Allocation of Resources Without Limits or Throttling

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59375.json
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2025-59375
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2025-59375
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2025-59375
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2025-59375
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2025-59375
epss	0.00058	https://api.first.org/data/v1/epss?cve=CVE-2025-59375
epss	0.00058	https://api.first.org/data/v1/epss?cve=CVE-2025-59375
epss	0.00058	https://api.first.org/data/v1/epss?cve=CVE-2025-59375
epss	0.00058	https://api.first.org/data/v1/epss?cve=CVE-2025-59375
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	7.5	https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74
ssvc	Track	https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74
cvssv3.1	7.5	https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes
ssvc	Track	https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes
cvssv3.1	7.5	https://github.com/libexpat/libexpat/issues/1018
ssvc	Track	https://github.com/libexpat/libexpat/issues/1018
cvssv3.1	7.5	https://github.com/libexpat/libexpat/pull/1034
ssvc	Track	https://github.com/libexpat/libexpat/pull/1034
cvssv3.1	7.5	https://issues.oss-fuzz.com/issues/439133977
ssvc	Track	https://issues.oss-fuzz.com/issues/439133977
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2026-20
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2026-22
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2026-23
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2026-24

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59375.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-59375
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59375
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1018		https://github.com/libexpat/libexpat/issues/1018
1034		https://github.com/libexpat/libexpat/pull/1034
1115298		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115298
2395108		https://bugzilla.redhat.com/show_bug.cgi?id=2395108
439133977		https://issues.oss-fuzz.com/issues/439133977
Changes		https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes
Changes#L45-L74		https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74
mfsa2026-20		https://www.mozilla.org/en-US/security/advisories/mfsa2026-20
mfsa2026-22		https://www.mozilla.org/en-US/security/advisories/mfsa2026-22
mfsa2026-23		https://www.mozilla.org/en-US/security/advisories/mfsa2026-23
mfsa2026-24		https://www.mozilla.org/en-US/security/advisories/mfsa2026-24
RHSA-2025:19020		https://access.redhat.com/errata/RHSA-2025:19020
RHSA-2025:19403		https://access.redhat.com/errata/RHSA-2025:19403
RHSA-2025:21030		https://access.redhat.com/errata/RHSA-2025:21030
RHSA-2025:21773		https://access.redhat.com/errata/RHSA-2025:21773
RHSA-2025:21776		https://access.redhat.com/errata/RHSA-2025:21776
RHSA-2025:21974		https://access.redhat.com/errata/RHSA-2025:21974
RHSA-2025:22033		https://access.redhat.com/errata/RHSA-2025:22033
RHSA-2025:22034		https://access.redhat.com/errata/RHSA-2025:22034
RHSA-2025:22035		https://access.redhat.com/errata/RHSA-2025:22035
RHSA-2025:22175		https://access.redhat.com/errata/RHSA-2025:22175
RHSA-2025:22607		https://access.redhat.com/errata/RHSA-2025:22607
RHSA-2025:22618		https://access.redhat.com/errata/RHSA-2025:22618
RHSA-2025:22785		https://access.redhat.com/errata/RHSA-2025:22785
RHSA-2025:22842		https://access.redhat.com/errata/RHSA-2025:22842
RHSA-2025:22871		https://access.redhat.com/errata/RHSA-2025:22871
RHSA-2025:22935		https://access.redhat.com/errata/RHSA-2025:22935
RHSA-2025:23078		https://access.redhat.com/errata/RHSA-2025:23078
RHSA-2025:23079		https://access.redhat.com/errata/RHSA-2025:23079
RHSA-2025:23080		https://access.redhat.com/errata/RHSA-2025:23080
RHSA-2025:23202		https://access.redhat.com/errata/RHSA-2025:23202
RHSA-2025:23204		https://access.redhat.com/errata/RHSA-2025:23204
RHSA-2025:23205		https://access.redhat.com/errata/RHSA-2025:23205
RHSA-2025:23209		https://access.redhat.com/errata/RHSA-2025:23209
RHSA-2025:23227		https://access.redhat.com/errata/RHSA-2025:23227
RHSA-2025:23248		https://access.redhat.com/errata/RHSA-2025:23248
RHSA-2025:23449		https://access.redhat.com/errata/RHSA-2025:23449
RHSA-2025:23550		https://access.redhat.com/errata/RHSA-2025:23550
RHSA-2026:0001		https://access.redhat.com/errata/RHSA-2026:0001
RHSA-2026:0076		https://access.redhat.com/errata/RHSA-2026:0076
RHSA-2026:0077		https://access.redhat.com/errata/RHSA-2026:0077
RHSA-2026:0078		https://access.redhat.com/errata/RHSA-2026:0078
RHSA-2026:0326		https://access.redhat.com/errata/RHSA-2026:0326
RHSA-2026:0332		https://access.redhat.com/errata/RHSA-2026:0332
RHSA-2026:0414		https://access.redhat.com/errata/RHSA-2026:0414
RHSA-2026:0420		https://access.redhat.com/errata/RHSA-2026:0420
RHSA-2026:0518		https://access.redhat.com/errata/RHSA-2026:0518
RHSA-2026:0674		https://access.redhat.com/errata/RHSA-2026:0674
RHSA-2026:0677		https://access.redhat.com/errata/RHSA-2026:0677
RHSA-2026:0702		https://access.redhat.com/errata/RHSA-2026:0702
RHSA-2026:0934		https://access.redhat.com/errata/RHSA-2026:0934
RHSA-2026:0996		https://access.redhat.com/errata/RHSA-2026:0996
RHSA-2026:1541		https://access.redhat.com/errata/RHSA-2026:1541
RHSA-2026:1652		https://access.redhat.com/errata/RHSA-2026:1652
RHSA-2026:3407		https://access.redhat.com/errata/RHSA-2026:3407
RHSA-2026:3461		https://access.redhat.com/errata/RHSA-2026:3461
RHSA-2026:3462		https://access.redhat.com/errata/RHSA-2026:3462
USN-8022-1		https://usn.ubuntu.com/8022-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59375.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C Found at https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:22:58Z/ Found at https://github.com/libexpat/libexpat/blob/676a4c531ec768732fac215da9730b5f50fbd2bf/expat/Changes#L45-L74

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C Found at https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:22:58Z/ Found at https://github.com/libexpat/libexpat/blob/R_2_7_2/expat/Changes

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C Found at https://github.com/libexpat/libexpat/issues/1018

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:22:58Z/ Found at https://github.com/libexpat/libexpat/issues/1018

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C Found at https://github.com/libexpat/libexpat/pull/1034

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:22:58Z/ Found at https://github.com/libexpat/libexpat/pull/1034

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:T/RC:C Found at https://issues.oss-fuzz.com/issues/439133977

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-15T20:22:58Z/ Found at https://issues.oss-fuzz.com/issues/439133977

Exploit Prediction Scoring System (EPSS)

Percentile	0.15811
EPSS Score	0.00051
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:16:34.335892+00:00	Mozilla Importer	Import	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2026/mfsa2026-22.yml	38.0.0