Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/langchain-exa@0.1.0
Typepypi
Namespace
Namelangchain-exa
Version0.1.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.0.0a1
Latest_non_vulnerable_version1.0.0a1
Affected_by_vulnerabilities
0
url VCID-f71e-h861-6qh6
vulnerability_id VCID-f71e-h861-6qh6
summary LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.
references
0
reference_url https://github.com/langchain-ai/langchain
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/langchain-ai/langchain
1
reference_url https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb
2
reference_url https://www.langchain.com/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://www.langchain.com/
3
reference_url https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos
fixed_packages
0
url pkg:pypi/langchain-exa@1.0.0a1
purl pkg:pypi/langchain-exa@1.0.0a1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-exa@1.0.0a1
aliases CVE-2024-58340, PYSEC-2026-75
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f71e-h861-6qh6
Fixing_vulnerabilities
0
url VCID-u29a-rxyq-aubh
vulnerability_id VCID-u29a-rxyq-aubh
summary 
With the following crawler configuration:

```python
from bs4 import BeautifulSoup as Soup

url = "https://example.com"
loader = RecursiveUrlLoader(
    url=url, max_depth=2, extractor=lambda x: Soup(x, "html.parser").text
)
docs = loader.load()
```

An attacker in control of the contents of `https://example.com` could place a malicious HTML file in there with links like "https://example.completely.different/my_file.html" and the crawler would proceed to download that file as well even though `prevent_outside=True`.

https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51

Resolved in https://github.com/langchain-ai/langchain/pull/15559
references
0
reference_url https://github.com/langchain-ai/langchain
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain
1
reference_url https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51
2
reference_url https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22
3
reference_url https://github.com/langchain-ai/langchain/pull/15559
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/langchain-ai/langchain/pull/15559
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/langchain-exa/PYSEC-2024-235.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/langchain-exa/PYSEC-2024-235.yaml
5
reference_url https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e1ca861
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e1ca861
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-0243
reference_id CVE-2024-0243
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-0243
7
reference_url https://github.com/advisories/GHSA-h9j7-5xvc-qhg5
reference_id GHSA-h9j7-5xvc-qhg5
reference_type
scores
url https://github.com/advisories/GHSA-h9j7-5xvc-qhg5
fixed_packages
0
url pkg:pypi/langchain-exa@0.1.0
purl pkg:pypi/langchain-exa@0.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-f71e-h861-6qh6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain-exa@0.1.0
aliases CVE-2024-0243, GHSA-h9j7-5xvc-qhg5, PYSEC-2024-235
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u29a-rxyq-aubh
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/langchain-exa@0.1.0