Infinite Recursion Leading to Denial-of-Service in Sitemap Parsing
A Denial-of-Service vulnerability exists in the `SitemapLoader` class of the langchain-ai/langchain project due to infinite recursion when parsing self-referential sitemaps. This issue affects all versions of the software and can lead to server resource exhaustion and process crashes. The vulnerability was identified in an environment running Ubuntu 20.04.6 LTS, Nginx/1.25.2, and Python 3.11.0.
Available publicly on May 12 2024
Remediation Steps
- Ensure that the
parse_sitemap
method includes a mechanism to detect and prevent parsing of sitemaps that refer to themselves. - Implement a maximum recursion depth for sitemap parsing to prevent infinite loops.
- Validate and sanitize all URLs in sitemaps before attempting to parse them.
- Regularly update the langchain-ai/langchain project to incorporate security patches and improvements.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.