THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2024-2965

Denial-of-Service in LangChain SitemapLoader in langchain-ai/langchain

Reserved:2024-03-26
Published:2024-06-06
Updated:2024-06-07

Description

A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.



MEDIUM: 4.2CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-400 Uncontrolled Resource Consumption

Product status

Any version
affected

References

https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae

cve.org CVE-2024-2965

nvd.nist.gov CVE-2024-2965

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-2965