CVE-2025-6984
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-04

Last updated on: 2025-09-04

Assigner: huntr.dev

Description
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-04
Last Modified
2025-09-04
Generated
2026-06-16
AI Q&A
2025-09-04
EPSS Evaluated
2026-06-14
NVD
CVE-2025-6984
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langchain-ai langchain 0.3.63
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

An attacker exploiting this vulnerability can gain access to sensitive information stored on the affected system by tricking it into revealing local files. This can lead to information disclosure, potentially exposing critical data that could be used for further attacks or unauthorized access.

Executive Summary

This vulnerability exists in the langchain-ai/langchain project's EverNoteLoader component due to insecure XML parsing. Specifically, it uses etree.iterparse() without disabling external entity references, which allows an attacker to perform XML External Entity (XXE) attacks. By sending a malicious XML payload that references local files, an attacker can cause the system to disclose sensitive information such as the contents of /etc/passwd.

Mitigation Strategies

To mitigate this vulnerability, immediately update or patch the langchain-ai/langchain project to a version later than 0.3.63 where the XML parsing issue is fixed. Alternatively, modify the EverNoteLoader component to disable external entity references when using etree.iterparse(), preventing XXE attacks. Avoid processing untrusted XML inputs until the issue is resolved.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6984. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart