CVE-2024-1455

Name of the Vulnerable Software and Affected Versions LangChain (affected versions not specified)

Description The issue concerns the XMLOutputParser in LangChain, which utilizes the etree module from the XML parser in the standard Python library. This library has some XML vulnerabilities, making it susceptible to a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS). This primarily affects users who combine a Large Language Model (LLM) or agent with the XMLOutputParser and expose the component via an endpoint on a web service, allowing a malicious party to attempt to manipulate the LLM to produce a malicious payload for the parser.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.