CVE-2022-25313: 
Bottlerocket vulnerability analysis and mitigation

In Expat (aka libexpat) before version 2.4.5, an attacker can trigger stack exhaustion in build_model function via a large nesting depth in the DTD element. The vulnerability was discovered and disclosed in February 2022, affecting the XML parsing C library Expat which is widely used across many software applications (MITRE, NVD).

The vulnerability occurs because buildnode is a recursively called function within buildmodel. When processing XML files with deeply nested DTD elements, this recursive approach can lead to stack exhaustion. The issue was fixed by adjusting the code to run iteratively instead of recursively, using already allocated heap space as temporary stack growing from top to bottom. The fix maintains full API and ABI compatibility without adding new fields to data structures (GITHUB).

The vulnerability has a CVSS v3.1 base score of 6.5 (Medium), with attack vector being Network, attack complexity Low, requiring no privileges but user interaction, and affecting only availability. A successful exploitation could result in denial of service or potentially arbitrary code execution when processing malformed XML files (NETAPP).

The vulnerability was fixed in Expat version 2.4.5. Users and organizations are strongly recommended to upgrade to this version or later. The fix involves changing the recursive implementation to an iterative one while maintaining compatibility. Multiple Linux distributions and software vendors have released patches for their affected products (DEBIAN, FEDORA).