Home > Vulnerability Database > CVE-2024-2965

Mend.io Vulnerability Database

CVE-2024-2965

Good to know:

Date: June 6, 2024

A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-community` package, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

Language: Python

Severity Score

4.2

Related Resources (6)

Url: https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae

Url: https://github.com/langchain-ai/langchain/pull/22903

Url: https://github.com/langchain-ai/langchain

Url: https://github.com/langchain-ai/langchain/commit/9a877c7adbd06f90a2518152f65b562bd90487cc

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-2965

Url: https://www.mend.io/vulnerability-database/CVE-2024-2965

Severity Score

4.2

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Top Fix

Upgrade Version

Upgrade to version langchain - 0.2.5

Learn More

CVSS v3.1

Base Score:	4.2
Attack Vector (AV):	PHYSICAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-2965

Good to know:

Date: June 6, 2024

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?