XML External Entity Vulnerability in EverNoteLoader Component of Langchain Project
CVE-2025-6984

7.5HIGH

Key Information:

Vendor
CVE Published:
4 September 2025

What is CVE-2025-6984?

The EverNoteLoader component of the Langchain project is susceptible to XML External Entity (XXE) attacks due to its insecure XML parsing mechanism. Specifically, this vulnerability is caused by the usage of etree.iterparse() without properly disabling external entity references. An attacker can exploit this flaw by sending a specially crafted XML payload that references local files, which may allow them to disclose sensitive data such as system files. Organizations utilizing this component should take immediate measures to secure their implementations against potential exploitation.

Affected Version(s)

langchain-ai/langchain <= unspecified

References

CVSS V3.0

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-6984 : XML External Entity Vulnerability in EverNoteLoader Component of Langchain Project