Denial of service in `SitemapLoader` Document Loader in the `langchain-community` package, affecting versions below 0.2.5. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

Affected Packages

PyPI langchain-community

Affected versions: 0 (fixed in 0.2.5)

PyPI langchain

Affected versions: 0 (fixed in 0.2.5)

Related CVEs

CVE-2024-2965

Key Information

GHSA ID

GHSA-3hjh-jh2h-vrg6

Published

June 6, 2024 9:30 PM

Last Modified

November 4, 2024 3:27 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

langchain-community

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 17, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.