CVE-2025-6984
published 2025-09-04CVE-2025-6984: The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing…
PriorityP258high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.53%
71.6th percentile
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langchain-ai | langchain-ai_langchain | unspecified – latest | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for EverNoteLoader instantiation with XML files containing DOCTYPE declarations and ENTITY references pointing to local file paths (e.g., file:///etc/passwd); these are hallmarks of XXE exploitation attempts against this component. ↗
- →Monitor for XML payloads processed by EverNoteLoader that include external entity declarations (<!DOCTYPE ... <!ENTITY ... SYSTEM ...>); the vulnerable code path is etree.iterparse() without external entity restrictions. ↗
- →Detection rule should match output or file-read responses containing strings like 'root:', 'bin:', or 'daemon:' when originating from a LangChain EverNoteLoader document-loading operation, indicating successful /etc/passwd exfiltration. ↗
- →The fix is tracked in commit e842452 of langchain-community; compare pre/post-patch behavior of EverNoteLoader XML parsing to validate remediation. ↗
- ·Only langchain-community version 0.3.63 is confirmed affected; the vulnerability is specific to the EverNoteLoader component and its use of etree.iterparse() without external entity restrictions. ↗
- ·Red Hat notes that mitigation is either not available or currently available options do not meet their criteria; the openshift-lightspeed/lightspeed-service-api-rhel9 package is confirmed Affected, while most Ansible Automation Platform and RHEL AI packages are Not affected. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
ghsa·2025-09-04
CVE-2025-6984 [HIGH] CWE-200 Langchain Community Vulnerable to XML External Entity (XXE) Attacks
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd. This issue has been fixed in 0.3.27 of langchain-community.
OSV
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
osv·2025-09-04
CVE-2025-6984 [HIGH] Langchain Community Vulnerable to XML External Entity (XXE) Attacks
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd. This issue has been fixed in 0.3.27 of langchain-community.
Red Hat
langchain-community: Langchain-community insecure XML parsing
vendor_redhat·2025-09-04·CVSS 7.5
CVE-2025-6984 [HIGH] CWE-200 langchain-community: Langchain-community insecure XML parsing
langchain-community: Langchain-community insecure XML parsing
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.
An XML External Entity flaw has been discovered in the langchain-community python package. The EverNoteLoader component has an insecure use of the `etree.iterparse()` function which does not disable external entity references. This can
No detection rules found.
Nuclei
langchain-ai langchain - XML External Entity Injection
nuclei·CVSS 7.5
CVE-2025-6984 [HIGH] langchain-ai langchain - XML External Entity Injection
langchain-ai langchain - XML External Entity Injection
langchain-ai/langchain 0.3.63 contains an XML External Entity (XXE) injection caused by insecure XML parsing in EverNoteLoader using etree.iterparse(), letting attackers disclose sensitive information, exploit requires crafted malicious XML payload.
Template:
id: CVE-2025-6984
info:
name: langchain-ai langchain - XML External Entity Injection
author: nukunga
severity: high
description: |
langchain-ai/langchain 0.3.63 contains an XML External Entity (XXE) injection caused by insecure XML parsing in EverNoteLoader using etree.iterparse(), letting attackers disclose sensitive information, exploit requires crafted malicious XML payload.
impact: |
Attackers can disclose sensitive local files, potentially exposing critical system informa
No writeups or analysis indexed.
2025-09-04
Published