XML External Entity Vulnerability in EverNoteLoader Component of Langchain Project
CVE-2025-6984
7.5HIGH
What is CVE-2025-6984?
The EverNoteLoader component of the Langchain project is susceptible to XML External Entity (XXE) attacks due to its insecure XML parsing mechanism. Specifically, this vulnerability is caused by the usage of etree.iterparse() without properly disabling external entity references. An attacker can exploit this flaw by sending a specially crafted XML payload that references local files, which may allow them to disclose sensitive data such as system files. Organizations utilizing this component should take immediate measures to secure their implementations against potential exploitation.
Affected Version(s)
langchain-ai/langchain <= unspecified