Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2025-6984 PoC — Sensitive Information Disclosure Due to Insecure XML Parsing in langchain-ai/langchain

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2025/CVE-2025-6984.yaml
Associated Vulnerability
Title:Sensitive Information Disclosure Due to Insecure XML Parsing in langchain-ai/langchain (CVE-2025-6984)
Description:The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.
Description
langchain-ai/langchain 0.3.63 contains an XML External Entity (XXE) injection caused by insecure XML parsing in EverNoteLoader using etree.iterparse(), letting attackers disclose sensitive information, exploit requires crafted malicious XML payload.
File Snapshot

 id: CVE-2025-6984

info:
  name: langchain-ai langchain - XML External Entity Injection
  author: nu

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →