AI Threat Alert
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langchain-community | pip | < 0.3.27 | 0.3.27 |
Do you use langchain-community? You're affected.
Severity & Risk
Recommended Action
Patch available
Update langchain-community to version 0.3.27
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.
Weaknesses (CWE)
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
- github.com/advisories/GHSA-pc6w-59fv-rh23
- github.com/langchain-ai/langchain-community/commit/e842452108089524e22c3a2ced851c021884556f
- github.com/langchain-ai/langchain/blob/d79b5813a0b3b243c612b77013768995e46c4337/libs/langchain/langchain/document_loaders/evernote.py
- huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a
- nvd.nist.gov/vuln/detail/CVE-2025-6984
- huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a