CVE-2025-6984

HIGH NUCLEI

Pypi Langchain-community < 0.3.27 - Information Disclosure

Title source: rule

Description

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.

Nuclei Templates (1)

langchain-ai langchain - XML External Entity Injection

HIGHVERIFIEDby nukunga

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a

Scores

CVSS v3 7.5

EPSS 0.0192

EPSS Percentile 83.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (2)

langchain-ai/langchain-ai/langchain unspecified - latest

pypi/langchain-community 0 - 0.3.27PyPI

Published Sep 04, 2025

Tracked Since Feb 18, 2026