pysec-2024-118
Vulnerability from pysec
Published
2024-06-06 19:15
Modified
2024-11-03 20:22
Severity ?
Details
A Denial-of-Service (DoS) vulnerability exists in the SitemapLoader class of the langchain-ai/langchain repository, affecting all versions. The parse_sitemap method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
Impacted products
| Name | purl |
|---|---|
| langchain | pkg:pypi/langchain |
Aliases
{ affected: [ { package: { ecosystem: "PyPI", name: "langchain", purl: "pkg:pypi/langchain", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "73c42306745b0831aa6fe7fe4eeb70d2c2d87a82", }, ], repo: "https://github.com/langchain-ai/langchain", type: "GIT", }, { events: [ { introduced: "0", }, { fixed: "0.2.5", }, ], type: "ECOSYSTEM", }, ], versions: [ "0.0.1", "0.0.10", "0.0.100", "0.0.101", "0.0.101rc0", "0.0.102", "0.0.102rc0", "0.0.103", "0.0.104", "0.0.105", "0.0.106", "0.0.107", "0.0.108", "0.0.109", "0.0.11", "0.0.110", "0.0.111", "0.0.112", "0.0.113", "0.0.114", "0.0.115", "0.0.116", "0.0.117", "0.0.118", "0.0.119", "0.0.12", "0.0.120", "0.0.121", "0.0.122", "0.0.123", "0.0.124", "0.0.125", "0.0.126", "0.0.127", "0.0.128", "0.0.129", "0.0.13", "0.0.130", "0.0.131", "0.0.132", "0.0.133", "0.0.134", "0.0.135", "0.0.136", "0.0.137", "0.0.138", "0.0.139", "0.0.14", "0.0.140", "0.0.141", "0.0.142", "0.0.143", "0.0.144", "0.0.145", "0.0.146", "0.0.147", "0.0.148", "0.0.149", "0.0.15", "0.0.150", "0.0.151", "0.0.152", "0.0.153", "0.0.154", "0.0.155", "0.0.156", "0.0.157", "0.0.158", "0.0.159", "0.0.16", "0.0.160", "0.0.161", "0.0.162", "0.0.163", "0.0.164", "0.0.165", "0.0.166", "0.0.167", "0.0.168", "0.0.169", "0.0.17", "0.0.170", "0.0.171", "0.0.172", "0.0.173", "0.0.174", "0.0.175", "0.0.176", "0.0.177", "0.0.178", "0.0.179", "0.0.18", "0.0.180", "0.0.181", "0.0.182", "0.0.183", "0.0.184", "0.0.185", "0.0.186", "0.0.187", "0.0.188", "0.0.189", "0.0.19", "0.0.190", "0.0.191", "0.0.192", "0.0.193", "0.0.194", "0.0.195", "0.0.196", "0.0.197", "0.0.198", "0.0.199", "0.0.2", "0.0.20", "0.0.200", "0.0.201", "0.0.202", "0.0.203", "0.0.204", "0.0.205", "0.0.206", "0.0.207", "0.0.208", "0.0.209", "0.0.21", "0.0.210", "0.0.211", "0.0.212", "0.0.213", "0.0.214", "0.0.215", "0.0.216", "0.0.217", "0.0.218", "0.0.219", "0.0.22", "0.0.220", "0.0.221", "0.0.222", "0.0.223", "0.0.224", "0.0.225", "0.0.226", "0.0.227", "0.0.228", "0.0.229", "0.0.23", "0.0.230", "0.0.231", "0.0.232", "0.0.233", "0.0.234", "0.0.235", "0.0.236", "0.0.237", "0.0.238", "0.0.239", "0.0.24", "0.0.240", "0.0.240rc0", "0.0.240rc1", "0.0.240rc4", "0.0.242", "0.0.243", "0.0.244", "0.0.245", "0.0.246", "0.0.247", "0.0.248", "0.0.249", "0.0.25", "0.0.250", "0.0.251", "0.0.252", "0.0.253", "0.0.254", "0.0.255", "0.0.256", "0.0.257", "0.0.258", "0.0.259", "0.0.26", "0.0.260", "0.0.261", "0.0.262", "0.0.263", "0.0.264", "0.0.265", "0.0.266", "0.0.267", "0.0.268", "0.0.269", "0.0.27", "0.0.270", "0.0.271", "0.0.272", "0.0.273", "0.0.274", "0.0.275", "0.0.276", "0.0.277", "0.0.278", "0.0.279", "0.0.28", "0.0.281", "0.0.283", "0.0.284", "0.0.285", "0.0.286", "0.0.287", "0.0.288", "0.0.289", "0.0.29", "0.0.290", "0.0.291", "0.0.292", "0.0.293", "0.0.294", "0.0.295", "0.0.296", "0.0.297", "0.0.298", "0.0.299", "0.0.3", "0.0.30", "0.0.300", "0.0.301", "0.0.302", "0.0.303", "0.0.304", "0.0.305", "0.0.306", "0.0.307", "0.0.308", "0.0.309", "0.0.31", "0.0.310", "0.0.311", "0.0.312", "0.0.313", "0.0.314", "0.0.315", "0.0.316", "0.0.317", "0.0.318", "0.0.319", "0.0.32", "0.0.320", "0.0.321", "0.0.322", "0.0.323", "0.0.324", "0.0.325", "0.0.326", "0.0.327", "0.0.329", "0.0.33", "0.0.330", "0.0.331", "0.0.331rc0", "0.0.331rc1", "0.0.331rc2", "0.0.331rc3", "0.0.332", "0.0.333", "0.0.334", "0.0.335", "0.0.336", "0.0.337", "0.0.338", "0.0.339", "0.0.339rc0", "0.0.339rc1", "0.0.339rc2", "0.0.339rc3", "0.0.34", "0.0.340", "0.0.341", "0.0.342", "0.0.343", "0.0.344", "0.0.345", "0.0.346", "0.0.347", "0.0.348", "0.0.349", "0.0.349rc1", "0.0.349rc2", "0.0.35", "0.0.350", "0.0.351", "0.0.352", "0.0.353", "0.0.354", "0.0.36", "0.0.37", "0.0.38", "0.0.39", "0.0.4", "0.0.40", "0.0.41", "0.0.42", "0.0.43", "0.0.44", "0.0.45", "0.0.46", "0.0.47", "0.0.48", "0.0.49", "0.0.5", "0.0.50", "0.0.51", "0.0.52", "0.0.53", "0.0.54", "0.0.55", "0.0.56", "0.0.57", "0.0.58", "0.0.59", "0.0.6", "0.0.60", "0.0.61", "0.0.63", "0.0.64", "0.0.65", "0.0.66", "0.0.67", "0.0.68", "0.0.69", "0.0.7", "0.0.70", "0.0.71", "0.0.72", "0.0.73", "0.0.74", "0.0.75", "0.0.76", "0.0.77", "0.0.78", "0.0.79", "0.0.8", "0.0.80", "0.0.81", "0.0.82", "0.0.83", "0.0.84", "0.0.85", "0.0.86", "0.0.87", "0.0.88", "0.0.89", "0.0.9", "0.0.90", "0.0.91", "0.0.92", "0.0.93", "0.0.94", "0.0.95", "0.0.96", "0.0.97", "0.0.98", "0.0.99", "0.0.99rc0", "0.1.0", "0.1.1", "0.1.10", "0.1.11", "0.1.12", "0.1.13", "0.1.14", "0.1.15", "0.1.16", "0.1.17", "0.1.17rc1", "0.1.19", "0.1.2", "0.1.20", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.1.8", "0.1.9", "0.2.0", "0.2.0rc1", "0.2.0rc2", "0.2.1", "0.2.2", "0.2.3", "0.2.4", ], }, ], aliases: [ "CVE-2024-2965", ], details: "A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.", id: "PYSEC-2024-118", modified: "2024-11-03T20:22:34.854295+00:00", published: "2024-06-06T19:15:00+00:00", references: [ { type: "EVIDENCE", url: "https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae", }, { type: "WEB", url: "https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae", }, { type: "FIX", url: "https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82", }, ], severity: [ { score: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", type: "CVSS_V3", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.