CVE-2024-2965

2024-06-0619:15:55

CWE-400

[email protected]

web.nvd.nist.gov

dos vulnerability

sitemaploader class

langchain-ai/langchain

infinite recursion

crash

availability

python process

nvd

4.2 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

4.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

A Denial-of-Service (DoS) vulnerability exists in the SitemapLoader class of the langchain-community package, affecting all versions. The parse_sitemap method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "langchain-community",
    "vendor": "langchain",
    "versions": [
      {
        "lessThanOrEqual": "latest",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]