Apache Xerces-C++ currently lacks active maintainers and therefore needs to tightly scope what security guarantees it provides.

We recommend that users that process untrusted input take their own precautions to make sure their applications fail gracefully when the input takes inappropriate amounts of memory or CPU to process.

Therefore we will no longer accept Denial of Service reports as security vulnerabilities. We will still consider reports where Xerces-C++ processes external paths (when it is correctly configured not to), or where it allows arbitrary code execution.

To report a problem where Xerces-C++ behaves in a way that violates the security model described above, please use the ASF-wide reporting process.

The following security advisories apply to all released versions and are not believed to have been addressed. The project does not vouch for the accuracy of any advisories created by third parties but will publish any that appear credible.

• CVE-2012-0880: Apache Xerces-C hash table collisions CPU usage DoS

The following security advisories apply to versions of Xerces-C older than V3.2.5:

• CVE-2018-1311: Apache Xerces-C use-after-free vulnerability scanning external DTD

The following security advisories apply to versions of Xerces-C older than V3.2.1:

• CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths

The following security advisories apply to versions of Xerces-C older than V3.1.4:

• CVE-2016-4463: Apache Xerces-C XML Parser Crashes on Malformed DTD

The following security advisories apply to versions of Xerces-C older than V3.1.3:

• CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input

The following security advisories apply to versions of Xerces-C older than V3.1.2:

• CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input