Skip to content

Add advisory for xml-rs: unbounded entity expansion (Billion Laughs)#2661

Closed
BrianMcWilliams wants to merge 1 commit intorustsec:mainfrom
BrianMcWilliams:advisory/xml-rs-billion-laughs
Closed

Add advisory for xml-rs: unbounded entity expansion (Billion Laughs)#2661
BrianMcWilliams wants to merge 1 commit intorustsec:mainfrom
BrianMcWilliams:advisory/xml-rs-billion-laughs

Conversation

@BrianMcWilliams
Copy link

@BrianMcWilliams BrianMcWilliams commented Feb 22, 2026

Advisory for xml-rs: Unbounded Entity Expansion (Billion Laughs / XML Bomb, CWE-776)

xml-rs expands DTD entity references recursively with no depth or size limit. A sub-1KB payload can cause exponential memory consumption (~3M amplification ratio).

No patch exists. Alternative: quick-xml (does not expand entities by default).

@djc
Copy link
Member

djc commented Feb 22, 2026

@kornelski any thoughts on this advisory?

@fintelia
Copy link

fintelia commented Feb 23, 2026

The linked issue is titled "Profile-Guided Optimization (PGO) results" and doesn't seem to have anything to do with this advisory

@djc djc closed this Feb 24, 2026
@kornelski
Copy link
Contributor

kornelski commented Feb 25, 2026

xml-rs has protection against this attack.

The report by @BrianMcWilliams is an LLM hallucinated spam.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BrianMcWilliams @djc @fintelia @kornelski