CVE-2024-1455

Exploit

EPSS 0.1%
Veröffentlicht 26.03.2024 14:15:08
Zuletzt bearbeitet 30.07.2025 20:06:23
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Langchain ≫ Langchain Version >= 0.1.4 <= 0.1.35

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.289

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
security@huntr.dev	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3

Patch

https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-1455

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1455

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1455

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-1455