python · hartwork · Sep 30, 2025 · Sep 30, 2025 · Sep 30, 2025 · Sep 30, 2025
diff --git a/Doc/library/pyexpat.rst b/Doc/library/pyexpat.rst
@@ -614,6 +614,13 @@
 
 .. method:: xmlparser.ExternalEntityRefHandler(context, base, systemId, publicId)
 
+   .. warning::
+
+      Registering a handler for external entity references may allow
+      attacker-controller XML to access local files and/or the network,
+      and thus create new security risks.
+      By default, :class:`xmlparser` is safe from these threats.
+
    Called for references to external entities.  *base* is the current base, as set
    by a previous call to :meth:`SetBase`.  The public and system identifiers,
    *systemId* and *publicId*, are strings if given; if the public identifier is not

diff --git a/Doc/library/xml.rst b/Doc/library/xml.rst
@@ -53,11 +53,21 @@ XML security
 
 An attacker can abuse XML features to carry out denial of service attacks,
 access local files, generate network connections to other machines, or
-circumvent firewalls.
+circumvent firewalls when attacker-controlled XML is being parsed,
+in Python or elsewhere.
 
-Expat versions lower than 2.6.0 may be vulnerable to "billion laughs",
-"quadratic blowup" and "large tokens". Python may be vulnerable if it uses such
-older versions of Expat as a system-provided library.
+The builtin XML parsers of Python rely on library `libexpat`_, commonly
+called Expat, for parsing XML.
+
+By default, Expat itself does not access local files or create network
+connections.
+
+Expat versions lower than 2.7.2 may be vulnerable to "billion laughs",
+"quadratic blowup" and "large tokens" or disproportional use of dynamic memory.
+Python bundles a copy of Expat, and whether the bundled or a system-wide Expat
+is being used by Python, depends on how the Python interpreter
+:doc:`has been configured <../using/configure>` in your environment.
+Python may be vulnerable if it uses such older versions of Expat.
 Check :const:`!pyexpat.EXPAT_VERSION`.
 
 :mod:`xmlrpc` is **vulnerable** to the "decompression bomb" attack.
@@ -90,5 +100,6 @@ large tokens
   be used to cause denial of service in the application parsing XML.
   The issue is known as :cve:`2023-52425`.
 
+.. _libexpat: https://github.com/libexpat/libexpat
 .. _Billion Laughs: https://en.wikipedia.org/wiki/Billion_laughs
 .. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb
diff --git a/Misc/NEWS.d/next/Documentation/2025-09-30-20-57-26.gh-issue-139313.ibcC9q.rst b/Misc/NEWS.d/next/Documentation/2025-09-30-20-57-26.gh-issue-139313.ibcC9q.rst
@@ -0,0 +1,5 @@
+Improve documentation on
+:doc:`XML security <../library/xml>`
+and method
+:meth:`~xml.parsers.expat.xmlparser.ExternalEntityRefHandler`.
+Patch by Sebastian Pipping.