Name of the Vulnerable Software and Affected Versions:

langchain-ai/langchain version 0.3.63

Description:

The EverNoteLoader component is susceptible to XML External Entity (XXE) attacks due to insecure XML parsing. This issue stems from the use of `etree.iterparse()` without disabling external entity references, potentially leading to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, such as `/etc/passwd`, potentially exposing sensitive data.

Recommendations:

Update langchain-ai/langchain to a version where this issue has been addressed. As a temporary workaround, consider disabling the use of the EverNoteLoader component until a patch is available.