CVE-2025-6984
HIGH NUCLEIlangchain-community < 0.3.27 - XML External Entity Injection in EverNoteLoader
Title source: llmExploitation Summary
CVE-2025-6984 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.
Nuclei Templates (1)
langchain-ai langchain - XML External Entity Injection
HIGHVERIFIEDby nukunga
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a
Scores
CVSS v3
7.5
EPSS
0.0192
EPSS Percentile
83.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
langchain-ai/langchain-ai/langchain
unspecified - latest
pypi/langchain-community
0 - 0.3.27PyPI
Published
Sep 04, 2025
Tracked Since
Feb 18, 2026