PyPI: langchain-community
CVE-2025-6984
Safety vulnerability ID: SFTY-20250904-73061
Safety legacy ID: pyup.io-79462
Affected versions of the langchain-community package are vulnerable to XML External Entity (XXE) Injection due to the use of `etree.iterparse` without disabling external entity resolution. ([GitHub][1]) The `langchain_community.document_loaders.evernote` module’s `EverNoteLoader` parses ENEX input with `etree.iterparse()` without a hardened XML parser, enabling expansion of external entities and unintended access to local resources.
Overview
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
Advisory
Affected versions of the langchain-community package are vulnerable to XML External Entity (XXE) Injection due to the use of `etree.iterparse` without disabling external entity resolution. ([GitHub][1]) The `langchain_community.document_loaders.evernote` module’s `EverNoteLoader` parses ENEX input with `etree.iterparse()` without a hardened XML parser, enabling expansion of external entities and unintended access to local resources.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250904-73061/CVE-2025-6984
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6984
- https://github.com/advisories/GHSA-pc6w-59fv-rh23
- https://nvd.nist.gov/vuln/detail/CVE-2025-6984
- https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a
- https://github.com/langchain-ai/langchain-community/commit/e842452108089524e22c3a2ced851c021884556f
- https://github.com/langchain-ai/langchain/blob/d79b5813a0b3b243c612b77013768995e46c4337/libs/langchain/langchain/document_loaders/evernote.py#L1-L23
- https://github.com/advisories/GHSA-pc6w-59fv-rh23
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more