CVE-2024-1455 Vulnerability Details

  /     /     /  

CVE-2024-1455 Metadata Quick Info

CVE Published: 26/03/2024 | CVE Updated: 15/08/2024 | CVE Year: 2024
Source: @huntr_ai | Vendor: langchain-ai | Product: langchain-ai/langchain
Status : PUBLISHED

---

CVE-2024-1455 Description

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-776
CWE Name: CWE-776 Improper Restriction of Recursive Entity References in DTDs
Source: langchain-ai

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).