CVE-2024-2965

Published: Jun 6, 2024

Modified: Oct 15, 2025

PUBLISHED

CVSS v3.0

4.2

MEDIUM

Description

A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

Vendor	Product	Versions
langchain-ai	langchain-ai/langchain	affected `unspecified - < 0.2.5`

Weaknesses (CWE)

CWE-674

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Physical

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae

https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-2965

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References