CVE-2024-2965
Denial-of-Service in langchain-community SitemapLoader
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Denial-of-Service in langchain-community SitemapLoader
| Assigner | @huntr_ai |
| Reserved | 2024-03-26 |
| Published | 2024-06-06 |
| Updated | 2024-08-01 |
A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-community` package, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
| CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
CWE-400 Uncontrolled Resource Consumption
https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae
