Moderate severityNVD Advisory· Published Mar 26, 2024· Updated Aug 15, 2024
Billion Laughs Attack leading to DoS in langchain-ai/langchain
CVE-2024-1455
Description
A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langchain-corePyPI | < 0.1.35 | 0.1.35 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-q84m-rmw3-4382ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-1455ghsaADVISORY
- github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3ghsaWEB
- github.com/langchain-ai/langchain/pull/17250ghsaWEB
- github.com/langchain-ai/langchain/pull/19653ghsaWEB
- github.com/langchain-ai/langchain/pull/19660ghsaWEB
- huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6ghsaWEB
News mentions
0No linked articles in our index yet.