CVE-2023-52425: 
Bottlerocket vulnerability analysis and mitigation

CVE-2023-52425 affects libexpat through version 2.5.0. The vulnerability allows a denial of service (resource consumption) attack when parsing large XML tokens that require multiple buffer fills to complete, as the parser needs to re-parse the token from start multiple times (NVD, Debian LTS).

The vulnerability stems from libexpat's handling of large tokens requiring multiple buffer fills. When parsing such tokens, the library has to repeatedly re-parse from the beginning, leading to excessive resource consumption. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without requiring privileges or user interaction (NVD, NetApp Advisory).

Successful exploitation of this vulnerability can lead to a denial of service condition through resource consumption. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NetApp Advisory).

The vulnerability has been fixed in libexpat version 2.6.0, which introduces a heuristic that defers further parsing until there's significantly more data available when the same token has failed multiple times. The fix also includes a new API, XML_SetReparseDeferralEnabled(), to optionally disable the new heuristic (Debian LTS, Fedora Update).