cbcvebase.
CVE-2024-2965
published 2024-06-06

CVE-2024-2965: A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The…

PriorityP419medium4.7CVSS 3.1
AVLACHPRLUINSUCNINAH
EPSS
0.30%
21.7th percentile
A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

Affected

4 ranges
VendorProductVersion rangeFixed in
langchain-ailangchain-ai_langchain>= unspecified < 0.2.50.2.5
langchainlangchain< 0.2.50.2.5
langchainlangchain>= 0 < 73c42306745b0831aa6fe7fe4eeb70d2c2d87a8273c42306745b0831aa6fe7fe4eeb70d2c2d87a82
langchainlangchain>= 0 < 0.2.50.2.5

CVSS provenance

nvdv3.14.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv3.04.2MEDIUMCVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.