GHSA-PW95-88FG-3J6F

Vulnerability from github – Published: 2025-05-05 20:40 – Updated: 2025-05-05 22:07
VLAI?
Summary
Langroid Allows XXE Injection via XMLToolMessage
Details

Summary

A LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.

Details

XMLToolMessage uses lxml without safeguards: https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52 lxml is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. Check here: https://pypi.org/project/defusedxml/#python-xml-libraries

PoC

A typical Quadratic blowup XML payload looks like this:

<!DOCTYPE bomb [
<!ENTITY a "aaaaaaaaaa">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
]>
<bomb>&c;</bomb>

Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application.

Fix

Langroid 0.53.4 initializes XMLParser with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access. https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3

Severity ?
7.8 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langroid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.53.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T20:40:44Z",
    "nvd_published_at": "2025-05-05T20:15:21Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.\n\n### Details\n`XMLToolMessage` uses `lxml` without safeguards:\nhttps://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52\n`lxml` is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. \nCheck here: https://pypi.org/project/defusedxml/#python-xml-libraries\n\n### PoC\nA typical Quadratic blowup XML payload looks like this:\n```xml\n\u003c!DOCTYPE bomb [\n\u003c!ENTITY a \"aaaaaaaaaa\"\u003e\n\u003c!ENTITY b \"\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\"\u003e\n\u003c!ENTITY c \"\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\"\u003e\n]\u003e\n\u003cbomb\u003e\u0026c;\u003c/bomb\u003e\n```\nHere, \u0026a; expands to 10 characters, \u0026b; expands to 100, and \u0026c; expands to 1000, causing exponential memory usage and potentially crashing the application.\n \n### Fix\nLangroid 0.53.4 initializes `XMLParser` with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access.\nhttps://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3",
  "id": "GHSA-pw95-88fg-3j6f",
  "modified": "2025-05-05T22:07:30Z",
  "published": "2025-05-05T20:40:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46726"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langroid/langroid"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Langroid Allows XXE Injection via XMLToolMessage"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.