{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T04:24:59.125","vulnerabilities":[{"cve":{"id":"CVE-2024-1455","sourceIdentifier":"security@huntr.dev","published":"2024-03-26T14:15:08.450","lastModified":"2025-07-30T20:06:23.577","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS). "},{"lang":"es","value":"XMLOutputParser en LangChain utiliza el módulo etree del analizador XML en la biblioteca estándar de Python que tiene algunas vulnerabilidades XML; consulte: https://docs.python.org/3/library/xml.html Esto afecta principalmente a los usuarios que combinan un LLM (o agente) con `XMLOutputParser` y exponen el componente a través de un endpoint en un servicio web. Esto permitiría que una parte malintencionada intentara manipular el LLM para producir un payload malicioso para el analizador que comprometería la disponibilidad del servicio. Un ataque exitoso se basa en: 1. Uso de XMLOutputParser 2. Pasar entradas maliciosas al XMLOutputParser, ya sea directamente o intentando manipular un LLM para que lo haga en nombre del usuario 3. Exponer el componente a través de un servicio web"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":3.6}],"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":3.6}]},"weaknesses":[{"source":"security@huntr.dev","type":"Secondary","description":[{"lang":"en","value":"CWE-776"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*","versionStartIncluding":"0.1.4","versionEndIncluding":"0.1.35","matchCriteriaId":"E2048421-A31F-490C-B3B5-EA3C4033A4E7"}]}]}],"references":[{"url":"https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3","source":"security@huntr.dev","tags":["Patch"]},{"url":"https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6","source":"security@huntr.dev","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]}]}}]}