CVE-2024-2965
published 2024-06-06CVE-2024-2965: A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The…
PriorityP419medium4.7CVSS 3.1
AVLACHPRLUINSUCNINAH
EPSS
0.30%
21.7th percentile
A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langchain-ai | langchain-ai_langchain | >= unspecified < 0.2.5 | 0.2.5 |
| langchain | langchain | < 0.2.5 | 0.2.5 |
| langchain | langchain | >= 0 < 73c42306745b0831aa6fe7fe4eeb70d2c2d87a82 | 73c42306745b0831aa6fe7fe4eeb70d2c2d87a82 |
| langchain | langchain | >= 0 < 0.2.5 | 0.2.5 |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv3.04.2MEDIUMCVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-2965: A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions
osv·2024-06-06
CVE-2024-2965 CVE-2024-2965: A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions
A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
GHSA
Denial of service in langchain-community
ghsa·2024-06-06
CVE-2024-2965 [MEDIUM] CWE-400 Denial of service in langchain-community
Denial of service in langchain-community
Denial of service in `SitemapLoader` Document Loader in the `langchain-community` package, affecting versions below 0.2.5. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
OSV
Denial of service in langchain-community
osv·2024-06-06
CVE-2024-2965 [MEDIUM] Denial of service in langchain-community
Denial of service in langchain-community
Denial of service in `SitemapLoader` Document Loader in the `langchain-community` package, affecting versions below 0.2.5. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
Red Hat
kernel: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
vendor_redhat·2024-07-12·CVSS 7.8
CVE-2024-40901 [HIGH] kernel: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
kernel: scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
In the Linux kernel, the following vulnerability has been resolved:
scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory
There is a potential out-of-bounds access when using test_bit() on a single
word. The test_bit() and set_bit() functions operate on long values, and
when testing or setting a single word, they can exceed the word
boundary. KASAN detects this issue and produces a dump:
BUG: KASAN: slab-out-of-bounds in _scsih_add_device.constprop.0 (./arch/x86/include/asm/bitops.h:60 ./include/asm-generic/bitops/instrumented-atomic.h:29 drivers/scsi/mpt3sas/mpt3sas_scsih.c:7331) mpt3sas
Write of size 8 at addr ffff8881d26e3c60 by task kworker/u1536:2/2965
For full log, please look at [1].
Make
Red Hat
langchain-community: Langchain-community SitemapParser DoS Vulnerability
vendor_redhat·2024-06-06·CVSS 4.7
CVE-2024-2965 [MEDIUM] CWE-674 langchain-community: Langchain-community SitemapParser DoS Vulnerability
langchain-community: Langchain-community SitemapParser DoS Vulnerability
A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
A flaw was found in langchain-community. The `SitemapLoader` class's `parse_sitemap`
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-06-06
Published