Vulnerability Description
A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Langchain | Langchain | >= 0.1.4, <= 0.1.35 |
Related Weaknesses (CWE)
References
- https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137Patch
- https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6ExploitThird Party Advisory
- https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137Patch
- https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6ExploitThird Party Advisory
FAQ
What is CVE-2024-1455?
CVE-2024-1455 is a vulnerability with a CVSS score of 5.9 (MEDIUM). A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML docu...
How severe is CVE-2024-1455?
CVE-2024-1455 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-1455?
Check the references section above for vendor advisories and patch information. Affected products include: Langchain Langchain.