CVE-2024-1455 MEDIUM

CVE-2024-1455: Billion Laughs Attack leading to DoS in langchain-ai/langchain

Vendor Langchain-Ai
Product langchain-ai/langchain
Weakness CWE-776
Published March 26, 2024
Last update August 15, 2024

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

Key dates

02Disclosure timeline

March 26, 2024 CVE published
August 15, 2024 Record updated