CVE-2024-2965

low-risk
Published 2024-06-06

A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.7/10 Medium
LOCAL / HIGH complexity

Affected Products (1)

Affected Vendors

Langchain

References (3)

https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d...
Exploit https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae
Exploit https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae
17
/ 100
low-risk
Severity 12/34 · Low
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal