PyPI: langchain
CVE-2024-1455
Safety vulnerability ID: SFTY-20240326-32834
Safety legacy ID: pyup.io-66962
Langchains 0.1.14 updates its dependency 'langchain-core' in poetry.lock to version 0.1.37 to include a fix for a XML Entity Expansion vulnerability.
Overview
Langchains 0.1.14 updates its dependency 'langchain-core' in poetry.lock to version 0.1.37 to include a fix for a XML Entity Expansion vulnerability.
Advisory
Langchains 0.1.14 updates its dependency 'langchain-core' in poetry.lock to version 0.1.37 to include a fix for a XML Entity Expansion vulnerability.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240326-32834/CVE-2024-1455
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1455
- https://github.com/langchain-ai/langchain/blob/v0.1.14/libs/langchain/poetry.lock#L3500
- https://github.com/langchain-ai/langchain/commit/727d5023ce88e18e3074ef620a98137d26ff92a3
- https://huntr.com/bounties/4353571f-c70d-4bfd-ac08-3a89cecb45b6
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more