CVE-2024-28757 is a vulnerability in the widely used XML parsing library libexpat, specifically affecting versions up to 2.6.1. The flaw arises when external parsers are created in isolation using the XML_ExternalEntityParserCreate function, enabling an XML Entity Expansion (XEE) attack. XEE attacks exploit the XML parser's handling of external entities to recursively expand entity references, leading to excessive memory and CPU consumption, effectively causing a denial of service (DoS). This vulnerability does not impact confidentiality or integrity but severely affects availability by exhausting system resources. The CVSS v3.1 score of 7.5 reflects its high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and unchanged scope (S:U). No known exploits have been reported in the wild yet, but the potential for automated exploitation exists due to the lack of authentication and user interaction requirements. The vulnerability is categorized under CWE-776, which relates to improper restriction of recursive entity references in XML parsers. Since libexpat is embedded in numerous software products and systems for XML parsing, this vulnerability could affect a broad range of applications, especially those that process untrusted XML data and use external entity parsers in isolation. The absence of patches at the time of publication necessitates immediate attention to mitigation strategies to prevent exploitation.

For European organizations, the primary impact of CVE-2024-28757 is the risk of denial of service attacks that can disrupt critical services relying on XML parsing. Industries such as telecommunications, finance, government, and energy often use XML for configuration, data interchange, and communication protocols, making them vulnerable to service outages. The vulnerability could lead to system downtime, degraded performance, and potential cascading failures in interconnected systems. Since the attack requires no authentication or user interaction, attackers can remotely trigger the vulnerability, increasing the risk of widespread disruption. Organizations using libexpat in custom or third-party applications that parse XML with external entity parsers are particularly at risk. The impact on availability could affect business continuity, regulatory compliance (e.g., GDPR mandates on service availability), and trust in digital services. Although confidentiality and integrity are not directly compromised, the operational impact can be severe, especially in critical infrastructure sectors.

European organizations should immediately audit their use of libexpat, focusing on whether XML_ExternalEntityParserCreate is used to create isolated external parsers. If so, they should avoid or disable this usage pattern until patches are available. Applying vendor patches or updates to libexpat once released is critical. In the interim, organizations can implement input validation and filtering to block XML documents containing external entity declarations or recursive entity references. Network-level protections such as Web Application Firewalls (WAFs) can be configured to detect and block malicious XML payloads exploiting entity expansion. Monitoring XML parser logs for unusual activity or resource spikes can provide early warning signs of exploitation attempts. For software vendors embedding libexpat, updating to a patched version and releasing updates to customers is essential. Additionally, organizations should consider isolating XML processing environments and applying resource limits to prevent resource exhaustion. Comprehensive incident response plans should be updated to include this vulnerability scenario.