Deprrous

**Name of the Vulnerable Software and Affected Versions** langchain-openai versões anteriores a 1.1.14 **Description** A função auxiliar ` url to size()`, utilizada por `get num tokens from messages` para a contagem de tokens de imagem, contém uma falha de Time-of-Check to Time-of-Use (TOCTOU). A função valida URLs para proteção contra Server-Side Request Forgery (SSRF) e, posteriormente, as busca usando uma operação de rede separada com resolução de DNS independente. Isso cria uma janela de DNS rebinding onde um nome de host controlado por um invasor pode resolver para um IP público durante a fase de validação e, em seguida, resolver para um IP privado ou localhost durante a operação de busca real. **Recommendations** Atualize para a versão 1.1.14 ou posterior.

**Name of the Vulnerable Software and Affected Versions** fast-xml-parser versions 4.0.0-beta.3 through 5.5.5 **Description** fast-xml-parser allows users to process XML from JavaScript objects without relying on C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass that allows numeric character references (&#NNN;, &#xHH;) and standard XML entities to circumvent entity expansion limits (like `maxTotalExpansions` and `maxExpandedLength`) originally implemented to address CVE-2026-26278. This bypass enables a denial of service through XML entity expansion. The root cause is that the `replaceEntitiesValue()` function in `OrderedObjParser.js` only enforces expansion counting on entities defined in DOCTYPE, while the loop handling numeric and standard entities does not perform any counting. An attacker can supply a large number of numeric entity references, such as 1M instances of A, to force significant memory allocation (approximately 147MB) and high CPU usage, potentially crashing the process even with strict limits configured. **Recommendations** fast-xml-parser versions prior to 5.5.6 are affected. Update to version 5.5.6 or later to resolve this issue.