CVE-2024-1455 Billion Laughs Attack leading to DoS in langchain-ai/langchain

2024-03-2614:03:46

CWE-776

@huntr_ai

www.cve.org

cve-2024-1455

billion laughs attack

xml external entity exploitation

denial of service

langchain-ai/langchain

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

9.0%

JSON

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

CNA Affected

[
  {
    "vendor": "langchain-ai",
    "product": "langchain-ai/langchain",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "0.1.35",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]