Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerability found: CVE-2024-1455, The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities. #21464

Open
5 tasks done
linooohon opened this issue May 9, 2024 · 1 comment
Open
5 tasks done

vulnerability found: CVE-2024-1455, The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities. #21464

linooohon opened this issue May 9, 2024 · 1 comment
Labels
Ɑ: parsing Related to output parser module 🤖:security Related to security issues, CVEs

Comments

@linooohon
Copy link

linooohon commented May 9, 2024
edited
Loading

Checked other resources

  • I added a very descriptive title to this issue.
  • I searched the LangChain documentation with the integrated search.
  • I used the GitHub search to find a similar question and didn't find it.
  • I am sure that this is a bug in LangChain rather than my code.
  • The bug is not resolved by updating to the latest stable version of LangChain (or the specific integration package).

Example Code

In Pipfile:

[packages]
langchain = "0.1.19"
langchain-openai = "0.1.6"

Error Message and Stack Trace (if applicable)

link: https://data.safetycli.com/v/66962/742/

The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities; see: https://docs.python.org/3/library/xml.html This primarily affects users that combine an LLM (or agent) with the XMLOutputParser and expose the component via an endpoint on a web-service. This would allow a malicious party to attempt to manipulate the LLM to produce a malicious payload for the parser that would compromise the availability of the service. A successful attack is predicated on: 1. Usage of XMLOutputParser 2. Passing of malicious input into the XMLOutputParser either directly or by trying to manipulate an LLM to do so on the users behalf 3. Exposing the component via a web-service See CVE-2024-1455.

Description

I am using Pipfile.
When I execute pipenv check, this vulnerability is showing.

Message:

 VULNERABILITIES FOUND 
+=======================================================================================================================================================+

-> Vulnerability found in langchain version 0.1.19
   Vulnerability ID: 66962
   Affected spec: >=0,<1.4
   ADVISORY: The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML
   vulnerabilities; see: https://docs.python.org/3/library/xml.html This primarily affects users that combine an LLM (or agent) with the...
   CVE-2024-1455
   For more information, please visit https://data.safetycli.com/v/66962/742

 Scan was completed. 1 vulnerability was found.

System Info

[packages]
langchain = "0.1.19"
langchain-openai = "0.1.6"
@dosubot dosubot bot added Ɑ: parsing Related to output parser module 🤖:security Related to security issues, CVEs labels May 9, 2024
@linooohon
Copy link
Author

Any update of this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Ɑ: parsing Related to output parser module 🤖:security Related to security issues, CVEs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@linooohon