Securely parsing XML with expat 2.6.0 or later

The Python official documentation (3.12) recommends defusedxml for securely parsing XML, but also states that all standard library modules with the exception of xmlrpc are safe so long as expat 2.6.0 or later is used.

I’m thinking I’ll cut out defusedxml and write code which refuses to process XML when expat is not up-to-date. My code is for one client and (probably) won’t be used anywhere else, so I don’t have users that will be bothered by this.

Is this a safe approach? Are there XML exploits not listed in the table which the Python standard library modules/expat 2.6.0 are still vulnerable to?

The creator of the defusedxml package described the project as abandoned in 2018, citing upcoming security improvements in CPython and expat. Maintenance has continued since (1), although there have been some concerns about its future. Given the release of expat 2.6.0 since that thread, I’m thinking the standard library modules might be the future.


(1) As of today the package hasn’t been updated in ten months, but I’d argue that’s reasonable for a package like this. The last commit addressed support for the pre-release of 3.13, and Python has not seen new major releases since. Supporting new Python releases is effectively the only thing the package needs to keep up with.