CVE-2024-1455: LangChain Billion Laughs XML

CISO Take

CVE-2024-1455 allows unauthenticated remote attackers to crash LangChain-based applications by submitting crafted XML payloads that trigger recursive entity expansion, exhausting CPU and memory. If your team uses LangChain to ingest or process XML documents (document loaders, RAG pipelines, agent tool inputs), update to the patched commit immediately and add input validation at ingestion boundaries. Attack complexity is high, so this is not an urgent fire drill, but patch it in your next sprint.

What is the risk?

Moderate operational risk. CVSS 5.9 with high attack complexity (AC:H) reduces real-world exploitability — an attacker must be able to supply malicious XML to a LangChain processing endpoint. Impact is availability-only (no data exfiltration). Risk escalates significantly for AI platforms that accept untrusted XML from users, third-party integrations, or external document feeds. Cloud-hosted LangChain deployments face amplified blast radius: a DoS could trigger auto-scaling costs before circuit breakers engage.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1

5.9 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC High

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: apply commit 727d5023ce88e18e3074ef620a98137d26ff92a3 or update to a langchain version released after 2024-03-26.
Validate input: reject or strip XML DOCTYPE declarations and entity definitions at ingestion boundaries before passing to LangChain parsers.
Resource limits: configure memory and CPU caps on LangChain worker processes (e.g., via container resource limits, ulimit) to bound blast radius.
Detection: monitor for sudden CPU/memory spikes in LangChain services, especially correlated with document ingestion jobs.
Defense-in-depth: if XML ingestion is not needed, disable XML document loaders entirely in your LangChain configuration.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle — operation and monitoring

NIST AI RMF

GOVERN 6.1 - Policies for AI risk management in supply chain MANAGE 2.2 - Mechanisms for treatment of identified AI risks

OWASP LLM Top 10

LLM04 - Model Denial of Service LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-1455?

CVE-2024-1455 allows unauthenticated remote attackers to crash LangChain-based applications by submitting crafted XML payloads that trigger recursive entity expansion, exhausting CPU and memory. If your team uses LangChain to ingest or process XML documents (document loaders, RAG pipelines, agent tool inputs), update to the patched commit immediately and add input validation at ingestion boundaries. Attack complexity is high, so this is not an urgent fire drill, but patch it in your next sprint.

Is CVE-2024-1455 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1455, increasing the risk of exploitation.

How to fix CVE-2024-1455?

1. Patch: apply commit 727d5023ce88e18e3074ef620a98137d26ff92a3 or update to a langchain version released after 2024-03-26. 2. Validate input: reject or strip XML DOCTYPE declarations and entity definitions at ingestion boundaries before passing to LangChain parsers. 3. Resource limits: configure memory and CPU caps on LangChain worker processes (e.g., via container resource limits, ulimit) to bound blast radius. 4. Detection: monitor for sudden CPU/memory spikes in LangChain services, especially correlated with document ingestion jobs. 5. Defense-in-depth: if XML ingestion is not needed, disable XML document loaders entirely in your LangChain configuration.

What systems are affected by CVE-2024-1455?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks, LLM application backends.

What is the CVSS score for CVE-2024-1455?

CVE-2024-1455 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.77%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesdocument ingestion pipelinesagent frameworksLLM application backends

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1.2, 8.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM04, LLM05

What are the technical details?

Original Advisory

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

Exploitation Scenario

An attacker targeting an organization's AI-powered document analysis platform (built on LangChain) uploads a malicious XML file through a publicly accessible document upload endpoint. The XML contains a classic Billion Laughs payload — a root entity referencing 10 entities, each referencing 10 more, creating 10^10 expansions. LangChain's XML parser processes the file, triggering recursive entity resolution that exhausts available memory and CPU within seconds. The LangChain worker process crashes or becomes unresponsive, taking down the RAG ingestion pipeline and any dependent AI services. In a multi-tenant SaaS context, this could constitute a shared-infrastructure DoS affecting all customers on that worker node.

Weaknesses (CWE)

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-776 — Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion'): The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

[Operation] If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
[Implementation] Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

Source: MITRE CWE corpus.