The library that is accessed via Perl is Expat.dll. It should live in a directory XML\Parser\Expat.dll. You should be able to swap out the libexpat.dll for the other version. Unfortunately, XML::Parser::Expat calls the vulnerable XML_GetCurrentLineNumber on invalid XML, so upgrading the libexpat libraries seems prudent if you actually are parsing arbitrary XML from unknown sources.