CVE-2025-6984
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-04
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langchain-ai | langchain | 0.3.63 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain access to sensitive information stored on the affected system by tricking it into revealing local files. This can lead to information disclosure, potentially exposing critical data that could be used for further attacks or unauthorized access.
Can you explain this vulnerability to me?
This vulnerability exists in the langchain-ai/langchain project's EverNoteLoader component due to insecure XML parsing. Specifically, it uses etree.iterparse() without disabling external entity references, which allows an attacker to perform XML External Entity (XXE) attacks. By sending a malicious XML payload that references local files, an attacker can cause the system to disclose sensitive information such as the contents of /etc/passwd.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update or patch the langchain-ai/langchain project to a version later than 0.3.63 where the XML parsing issue is fixed. Alternatively, modify the EverNoteLoader component to disable external entity references when using etree.iterparse(), preventing XXE attacks. Avoid processing untrusted XML inputs until the issue is resolved.