Medium

langchain

Infinite Recursion Leading to Denial-of-Service in Sitemap Parsing

A Denial-of-Service vulnerability exists in the `SitemapLoader` class of the langchain-ai/langchain project due to infinite recursion when parsing self-referential sitemaps. This issue affects all versions of the software and can lead to server resource exhaustion and process crashes. The vulnerability was identified in an environment running Ubuntu 20.04.6 LTS, Nginx/1.25.2, and Python 3.11.0.

Available publicly on May 12 2024

4.2

CVE:

CVE-2024-2965

CWE:

400:Uncontrolled Resource Consumption

CVSS:

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

dxan29a
AssessDetect

Unavailable

Remediate
Remediation Steps
  • Ensure that the parse_sitemap method includes a mechanism to detect and prevent parsing of sitemaps that refer to themselves.
  • Implement a maximum recursion depth for sitemap parsing to prevent infinite loops.
  • Validate and sanitize all URLs in sitemaps before attempting to parse them.
  • Regularly update the langchain-ai/langchain project to incorporate security patches and improvements.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.