CVE-2024-1455

MEDIUM

Langchain < 0.1.35 - XML Entity Expansion

Title source: rule

Description

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

References (2)

[Patch] https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6

Scores

CVSS v3 5.9

EPSS 0.0011

EPSS Percentile 28.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-776

Status published

Products (2)

langchain/langchain 0.1.4 - 0.1.35

pypi/langchain-core 0 - 0.1.35PyPI

Published Mar 26, 2024

Tracked Since Feb 18, 2026