GHSA-pc6w-59fv-rh23 · Severity: high · Ecosystem: pip — Langchain Community Vulnerable to XML External Entity (XXE) Attacks
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.
Conclusion & alert: CVE-2025-6984 is rated Moderate Risk (59/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.92%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-03-24 | 2.06% | 1.92% | -0.14% |
| 2 | 2026-03-21 | 3.00% | 2.06% | -0.94% |
| 3 | 2026-03-19 | — | 3.00% | — |
Full EPSS history (7 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.0 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-pc6w-59fv-rh23 · Severity: high · Ecosystem: pip — Langchain Community Vulnerable to XML External Entity (XXE) Attacks
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2025-6984 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||