CVE-2024-1455

2024-03-2614:15:08

CWE-776

@huntr_ai

web.nvd.nist.gov

xmloutputparser

langchain

attack

llm

web-service

availability

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

9.0%

JSON

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

Affected configurations

Vulners

Vulnrichment

Node

langchain-ailangchain-ai\/langchainMatch0.1.35

VendorProductVersionCPE
langchain-ailangchain-ai\/langchain0.1.35cpe:2.3:a:langchain-ai:langchain-ai\/langchain:0.1.35:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
langchain-ai	langchain-ai\/langchain	0.1.35	cpe:2.3:a:langchain-ai:langchain-ai\/langchain:0.1.35:::::::*

CNA Affected

[
  {
    "vendor": "langchain-ai",
    "product": "langchain-ai/langchain",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "0.1.35",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]