- CVSS
- MEDIUM · 5.9v3.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
- Published
- 2024-03-26
- Weakness
- CWE-776
- Source
- nvd.nist.gov/vuln/detail/CVE-2024-1455
Description
A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).
References
- https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3
- https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6
- https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3
- https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6
How GTK Cyber trains on this
AI security training at GTK Cyber covers the LLM and ML-pipeline vulnerability classes that vulnerabilities like CVE-2024-1455 fall into. Our hands-on courses are taught by Charles Givre and other practitioners who break and defend production AI systems.