Python's libexpat library is outdated and vulnerable to CVE-2016-0718 https://sourceforge.net/p/expat/bugs/537/
which can cause remote code execution through malicious xml files. The attached POC crashed both python 2.7 and python 3.5 on my windows machine.

What is the first expat version which isn't vulnerable?

I guess that this issue only impacts platforms which don't use --with-system-expat. Linux distributions use the system expat library for example.

Currently, the Python master branch embeds a copy of expat 2.1.1:

Modules/expat/expat.h
#define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 1
#define XML_MICRO_VERSION 1

I add this vulnerability to Python security document:
http://python-security.readthedocs.io/vuln/cve-2016-0718_expat_bug_537.html

According to their changelog here https://github.com/libexpat/libexpat/blob/master/expat/Changes
The vulnerability was fixed in expat 2.2.0 and yes it does not affect system that use --with-system-expat.

I have checked in 3.4, 3.5 and 3.6, it's the version 2.1.1 excepted for 2.7, 3.3 it's the version 2.1.0

Isn't this a duplicate of Issue29591 ?

Yep, it's similar

I opened a thread on python-dev to ask if we could drop our embedded copy of libexpat:
https://mail.python.org/pipermail/python-dev/2017-June/148287.html

I am closing this issue as a duplicate of the existing Issue29591. We can retitle the PR to be associated with it.  And I am making Issue29591 a release blocker for 3.6.2; regardless of what we decide to for 3.7, we're not going to drop the embedded copies of expat for current releases.