Skip to content

Langchain Community Vulnerable to XML External Entity (XXE) Attacks #8

New issue
New issue
Open
Open
Langchain Community Vulnerable to XML External Entity (XXE) Attacks#8
Labels
bugSomething isn't workinghelp wantedExtra attention is needed
@YanCotta

Description

@YanCotta
YanCotta
opened on Sep 6, 2025

Description
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd. This issue has been fixed in 0.3.27 of langchain-community.

References
https://nvd.nist.gov/vuln/detail/CVE-2025-6984
https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a
langchain-ai/langchain-community@e842452
https://github.com/langchain-ai/langchain/blob/d79b5813a0b3b243c612b77013768995e46c4337/libs/langchain/langchain/document_loaders/evernote.py#L1-L23

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinghelp wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions