-
Vulnerability
-
Resolution: Unresolved
-
Undefined
-
None
-
quay-v3.16.0
Description of problem:
Scan quay builder image "quay.io/redhat-user-workloads/quay-eng-tenant/quay-builder-v3-16@sha256:c29deec2c95eea70dd06892acc47fa5c695d6ec1443afaf195b334e358d55c60" by trivy. Found a 'High' vulnerability CVE-2025-59375. Get the detailed scan result in quay-builder-v3-16-vulnerability.rtf
- Vulnerability CVE-2025-31133 description
CVE-2025-59375 is caused by insufficient controls on dynamic memory allocation within libexpat when parsing XML documents. In affected versions (prior to 2.7.2), an attacker can submit a small, specially crafted XML document that causes the parser to allocate a much larger amount of memory than expected. This is due to the lack of proper checks or throttling on allocation requests in certain code paths. The vulnerability is classified as CWE-770: Allocation of Resources Without Limits or Throttling.
The root cause is documented in the libexpat GitHub repository and associated issues:
The vulnerability allows attackers to trigger large heap allocations by manipulating XML structures that the parser does not adequately constrain. This can result in denial of service as the process or system runs out of memory. The issue is fixed in libexpat version 2.7.2, which introduces stricter allocation checks and improved resource management.
