{"id":"HSEC-2023-0004","summary":"xml-conduit unbounded entity expansion","details":"# xml-conduit unbounded entity expansion\n\nA vulnerability was found in *xml-conduit*. It has been classified\nas problematic.  Affected is an unknown function of the file\n`xml-conduit/src/Text/XML/Stream/Parse.hs` of the component DOCTYPE\nEntity Expansion Handler. The manipulation leads to infinite loop.\nIt is possible to launch the attack remotely. Upgrading to version\n1.9.1.0 is able to address this issue. The name of the patch is\n`4be1021791dcdee8b164d239433a2043dc0939ea`. It is recommended to\nupgrade the affected component.\n","aliases":["CVE-2021-4249"],"modified":"2026-05-30T07:41:09.999679326Z","published":"2025-11-14T14:45:34Z","database_specific":{"home":"https://github.com/haskell/security-advisories","repository":"https://github.com/haskell/security-advisories","osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export"},"references":[{"type":"FIX","url":"https://github.com/snoyberg/xml/pull/161"},{"type":"FIX","url":"https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea"}],"affected":[{"package":{"name":"xml-conduit","ecosystem":"Hackage","purl":"pkg:hackage/xml-conduit"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.5.0"},{"fixed":"1.9.1.0"}]}],"versions":["0.5.0","0.5.0.1","0.5.1","0.5.1.1","0.5.1.2","0.5.2","0.5.3","0.5.3.1","0.5.4","0.6.0","0.6.1","0.7.0","0.7.0.1","0.7.0.2","0.7.0.3","1.0.0","1.0.1","1.0.1.1","1.0.2","1.0.2.1","1.0.3","1.0.3.1","1.0.3.2","1.0.3.3","1.1.0","1.1.0.1","1.1.0.2","1.1.0.3","1.1.0.4","1.1.0.5","1.1.0.6","1.1.0.7","1.1.0.8","1.1.0.9","1.2.0","1.2.0.1","1.2.0.2","1.2.0.3","1.2.1","1.2.1.1","1.2.2","1.2.3","1.2.3.1","1.2.3.2","1.2.3.3","1.2.4","1.2.5","1.2.5.1","1.2.6","1.3.0","1.3.1","1.3.2","1.3.3","1.3.3.1","1.3.4","1.3.4.1","1.3.4.2","1.3.5","1.4.0","1.4.0.1","1.4.0.2","1.4.0.3","1.4.0.4","1.5.0","1.5.1","1.6.0","1.7.0","1.7.0.1","1.7.1.0","1.7.1.1","1.7.1.2","1.8.0","1.8.0.1","1.9.0.0"],"database_specific":{"osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0004.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2023/HSEC-2023-0004.md","source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0004.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}],"schema_version":"1.7.5"}