langchain-community 0.2.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the langchain-community package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H XML External Entity (XXE) Injection Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via insecure use of `etree.iterparse()` parsing. An attacker can access sensitive information by submitting crafted XML payload with referencies to local files. How to fix XML External Entity (XXE) Injection? Upgrade `langchain-community` to version 0.3.27 or higher.	[,0.3.27)
M Deserialization of Untrusted Data Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the `FAISS.deserialize_from_bytes` function. An attacker can execute arbitrary commands by exploiting the `os.system` function. Note: Exploiting this vulnerability requires that the user actively accept untrusted input from another source. How to fix Deserialization of Untrusted Data? Upgrade `langchain-community` to version 0.2.10 or higher.	[,0.2.10)
M Uncontrolled Resource Consumption ('Resource Exhaustion') Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the `SitemapLoader` class. An attacker can occupy server socket/port resources and crash the Python process by inducing an infinite loop via recursive sitemap URL references. How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')? Upgrade `langchain-community` to version 0.2.5 or higher.	[,0.2.5)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via insecure use of etree.iterparse() parsing. An attacker can access sensitive information by submitting crafted XML payload with referencies to local files.

How to fix XML External Entity (XXE) Injection?

Upgrade langchain-community to version 0.3.27 or higher.

[,0.3.27)

Deserialization of Untrusted Data

Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the FAISS.deserialize_from_bytes function. An attacker can execute arbitrary commands by exploiting the os.system function.

Note:

Exploiting this vulnerability requires that the user actively accept untrusted input from another source.

How to fix Deserialization of Untrusted Data?

Upgrade langchain-community to version 0.2.10 or higher.

[,0.2.10)

Uncontrolled Resource Consumption ('Resource Exhaustion')

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the SitemapLoader class. An attacker can occupy server socket/port resources and crash the Python process by inducing an infinite loop via recursive sitemap URL references.

How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')?

Upgrade langchain-community to version 0.2.5 or higher.

[,0.2.5)

langchain-community@0.2.0 vulnerabilities

Community contributed LangChain integrations.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically