CVE-2024-2965

A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-community` package, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

CVSS v3 4.2 MEDIUM

4.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-06 19:15

Updated : 2024-06-25 11:15

NVD link : CVE-2024-2965

Mitre link : CVE-2024-2965

CVE.ORG link : CVE-2024-2965

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2024-2965", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 0.5}]}, "published": "2024-06-06T19:15:55.897", "references": [{"url": "https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae", "source": "security@huntr.dev"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-community` package, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality."}, {"lang": "es", "value": "Existe una vulnerabilidad de denegaci\u00f3n de servicio (DoS) en la clase `SitemapLoader` del repositorio `langchain-ai/langchain`, que afecta a todas las versiones. El m\u00e9todo `parse_sitemap`, responsable de analizar mapas de sitio y extraer URL, carece de un mecanismo para evitar la recursividad infinita cuando la URL de un mapa de sitio hace referencia al propio mapa de sitio actual. Este descuido permite la posibilidad de que se produzca un bucle infinito, lo que provocar\u00e1 un bloqueo al exceder la profundidad m\u00e1xima de recursividad en Python. Esta vulnerabilidad se puede aprovechar para ocupar recursos de puerto/socket del servidor y bloquear el proceso de Python, lo que afecta la disponibilidad de los servicios que dependen de esta funcionalidad."}], "lastModified": "2024-06-25T11:15:49.873", "sourceIdentifier": "security@huntr.dev"}