CVE-2024-2965

A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
Configurations

Configuration 1 (hide)

cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*

History

03 Nov 2024, 17:15

Type Values Removed Values Added
References
  • () https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82 -
CWE CWE-400
Summary (en) A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-community` package, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality. (en) A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

15 Oct 2024, 18:55

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.2
v2 : unknown
v3 : 4.7
CWE CWE-674
First Time Langchain
Langchain langchain
CPE cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*
References () https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae - () https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae - Exploit, Third Party Advisory

25 Jun 2024, 11:15

Type Values Removed Values Added
Summary (en) A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality. (en) A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-community` package, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

07 Jun 2024, 14:56

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de denegación de servicio (DoS) en la clase `SitemapLoader` del repositorio `langchain-ai/langchain`, que afecta a todas las versiones. El método `parse_sitemap`, responsable de analizar mapas de sitio y extraer URL, carece de un mecanismo para evitar la recursividad infinita cuando la URL de un mapa de sitio hace referencia al propio mapa de sitio actual. Este descuido permite la posibilidad de que se produzca un bucle infinito, lo que provocará un bloqueo al exceder la profundidad máxima de recursividad en Python. Esta vulnerabilidad se puede aprovechar para ocupar recursos de puerto/socket del servidor y bloquear el proceso de Python, lo que afecta la disponibilidad de los servicios que dependen de esta funcionalidad.

06 Jun 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-06 19:15

Updated : 2024-11-03 17:15


NVD link : CVE-2024-2965

Mitre link : CVE-2024-2965

CVE.ORG link : CVE-2024-2965


JSON object : View

Products Affected

langchain

  • langchain
CWE
CWE-674

Uncontrolled Recursion