Deprrous

**Name of the Vulnerable Software and Affected Versions** langchain-openai versions prior to 1.1.14 **Description** The ` url to size()` helper function, utilized by `get num tokens from messages` for image token counting, contains a Time-of-Check to Time-of-Use (TOCTOU) flaw. The function validates URLs for Server-Side Request Forgery (SSRF) protection and subsequently fetches them using a separate network operation with independent DNS resolution. This creates a DNS rebinding window where an attacker-controlled hostname can resolve to a public IP during the validation phase and then resolve to a private or localhost IP during the actual fetch operation. **Recommendations** Update to version 1.1.14 or later.

**Name of the Vulnerable Software and Affected Versions** fast-xml-parser versions 4.0.0-beta.3 through 5.5.5 **Description** fast-xml-parser allows users to process XML from JavaScript objects without relying on C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass that allows numeric character references (&#NNN;, &#xHH;) and standard XML entities to circumvent entity expansion limits (like `maxTotalExpansions` and `maxExpandedLength`) originally implemented to address CVE-2026-26278. This bypass enables a denial of service through XML entity expansion. The root cause is that the `replaceEntitiesValue()` function in `OrderedObjParser.js` only enforces expansion counting on entities defined in DOCTYPE, while the loop handling numeric and standard entities does not perform any counting. An attacker can supply a large number of numeric entity references, such as 1M instances of A, to force significant memory allocation (approximately 147MB) and high CPU usage, potentially crashing the process even with strict limits configured. **Recommendations** fast-xml-parser versions prior to 5.5.6 are affected. Update to version 5.5.6 or later to resolve this issue.