High severity7.5GHSA Advisory· Published Sep 4, 2025· Updated Apr 15, 2026
CVE-2025-6984
CVE-2025-6984
Description
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langchain-communityPyPI | < 0.3.27 | 0.3.27 |
Affected products
6- Range: < 0.3.27
- osv-coords5 versionspkg:apk/chainguard/open-webuipkg:apk/chainguard/open-webui-compatpkg:apk/wolfi/open-webuipkg:apk/wolfi/open-webui-compatpkg:pypi/langchain-community
< 0.6.27-r0+ 4 more
- (no CPE)range: < 0.6.27-r0
- (no CPE)range: < 0.6.27-r0
- (no CPE)range: < 0.6.27-r0
- (no CPE)range: < 0.6.27-r0
- (no CPE)range: < 0.3.27
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-pc6w-59fv-rh23ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-6984ghsaADVISORY
- github.com/langchain-ai/langchain-community/commit/e842452108089524e22c3a2ced851c021884556fghsaWEB
- github.com/langchain-ai/langchain/blob/d79b5813a0b3b243c612b77013768995e46c4337/libs/langchain/langchain/document_loaders/evernote.pyghsaWEB
- huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2anvdWEB
News mentions
0No linked articles in our index yet.