CVE-2024-1455

Medium CVSS 5.9

Overview

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

CWE: CWE-776 Published: 2024-03-26T14:15:08.450

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 5.9 (MEDIUM)
Detected tags: dos, xxe (tag impact: MODERATE)

Recommended actions:

Rate limiting, resource quotas and circuit breakers.
Disable external entities in XML parsers; use safe libraries.

Overview

Recommended tools

Tags