A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
References
Link | Resource |
---|---|
https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82 | |
https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae | Exploit Third Party Advisory |
Configurations
History
03 Nov 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
CWE | ||
Summary | (en) A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality. |
15 Oct 2024, 18:55
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.7 |
CWE | CWE-674 | |
First Time |
Langchain
Langchain langchain |
|
CPE | cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:* | |
References | () https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae - Exploit, Third Party Advisory |
25 Jun 2024, 11:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-community` package, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality. |
07 Jun 2024, 14:56
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
06 Jun 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-06 19:15
Updated : 2024-11-03 17:15
NVD link : CVE-2024-2965
Mitre link : CVE-2024-2965
CVE.ORG link : CVE-2024-2965
JSON object : View
Products Affected
langchain
- langchain
CWE
CWE-674
Uncontrolled Recursion