You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
vulnerability found: CVE-2024-1455, The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities.
#21464
Open
5 tasks done
linooohon opened this issue
May 9, 2024
· 1 comment
The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities; see: https://docs.python.org/3/library/xml.html This primarily affects users that combine an LLM (or agent) with the XMLOutputParser and expose the component via an endpoint on a web-service. This would allow a malicious party to attempt to manipulate the LLM to produce a malicious payload for the parser that would compromise the availability of the service. A successful attack is predicated on: 1. Usage of XMLOutputParser 2. Passing of malicious input into the XMLOutputParser either directly or by trying to manipulate an LLM to do so on the users behalf 3. Exposing the component via a web-service See CVE-2024-1455.
Description
I am using Pipfile.
When I execute pipenv check, this vulnerability is showing.
Message:
VULNERABILITIES FOUND
+=======================================================================================================================================================+
-> Vulnerability found in langchain version 0.1.19
Vulnerability ID: 66962
Affected spec: >=0,<1.4
ADVISORY: The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML
vulnerabilities; see: https://docs.python.org/3/library/xml.html This primarily affects users that combine an LLM (or agent) with the...
CVE-2024-1455
For more information, please visit https://data.safetycli.com/v/66962/742
Scan was completed. 1 vulnerability was found.
Checked other resources
Example Code
In Pipfile:
[packages]
langchain = "0.1.19"
langchain-openai = "0.1.6"
Error Message and Stack Trace (if applicable)
link: https://data.safetycli.com/v/66962/742/
The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities; see: https://docs.python.org/3/library/xml.html This primarily affects users that combine an LLM (or agent) with the
XMLOutputParser
and expose the component via an endpoint on a web-service. This would allow a malicious party to attempt to manipulate the LLM to produce a malicious payload for the parser that would compromise the availability of the service. A successful attack is predicated on: 1. Usage of XMLOutputParser 2. Passing of malicious input into the XMLOutputParser either directly or by trying to manipulate an LLM to do so on the users behalf 3. Exposing the component via a web-service See CVE-2024-1455.Description
I am using Pipfile.
When I execute
pipenv check
, this vulnerability is showing.Message:
System Info
[packages]
langchain = "0.1.19"
langchain-openai = "0.1.6"
The text was updated successfully, but these errors were encountered: