CVE-2025-6984

Name of the Vulnerable Software and Affected Versions langchain-ai/langchain version 0.3.63

Description The EverNoteLoader component is susceptible to XML External Entity (XXE) attacks due to insecure XML parsing. This issue stems from the use of etree.iterparse() without disabling external entity references, potentially leading to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, such as /etc/passwd, potentially exposing sensitive data.

Recommendations Update langchain-ai/langchain to a version where this issue has been addressed. As a temporary workaround, consider disabling the use of the EverNoteLoader component until a patch is available.