CVE-2024-1455 — MEDIUM (CVSS 5.9) AI Security Vulnerability

CISO Take

CVE-2024-1455 allows unauthenticated remote attackers to crash LangChain-based applications by submitting crafted XML payloads that trigger recursive entity expansion, exhausting CPU and memory. If your team uses LangChain to ingest or process XML documents (document loaders, RAG pipelines, agent tool inputs), update to the patched commit immediately and add input validation at ingestion boundaries. Attack complexity is high, so this is not an urgent fire drill, but patch it in your next sprint.

Risk Assessment

Moderate operational risk. CVSS 5.9 with high attack complexity (AC:H) reduces real-world exploitability — an attacker must be able to supply malicious XML to a LangChain processing endpoint. Impact is availability-only (no data exfiltration). Risk escalates significantly for AI platforms that accept untrusted XML from users, third-party integrations, or external document feeds. Cloud-hosted LangChain deployments face amplified blast radius: a DoS could trigger auto-scaling costs before circuit breakers engage.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1

5.9 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: apply commit 727d5023ce88e18e3074ef620a98137d26ff92a3 or update to a langchain version released after 2024-03-26.
Validate input: reject or strip XML DOCTYPE declarations and entity definitions at ingestion boundaries before passing to LangChain parsers.
Resource limits: configure memory and CPU caps on LangChain worker processes (e.g., via container resource limits, ulimit) to bound blast radius.
Detection: monitor for sudden CPU/memory spikes in LangChain services, especially correlated with document ingestion jobs.
Defense-in-depth: if XML ingestion is not needed, disable XML document loaders entirely in your LangChain configuration.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle — operation and monitoring

NIST AI RMF

GOVERN 6.1 - Policies for AI risk management in supply chain MANAGE 2.2 - Mechanisms for treatment of identified AI risks

OWASP LLM Top 10

LLM04 - Model Denial of Service LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-1455?

CVE-2024-1455 allows unauthenticated remote attackers to crash LangChain-based applications by submitting crafted XML payloads that trigger recursive entity expansion, exhausting CPU and memory. If your team uses LangChain to ingest or process XML documents (document loaders, RAG pipelines, agent tool inputs), update to the patched commit immediately and add input validation at ingestion boundaries. Attack complexity is high, so this is not an urgent fire drill, but patch it in your next sprint.

Is CVE-2024-1455 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-1455, increasing the risk of exploitation.

How to fix CVE-2024-1455?

1. Patch: apply commit 727d5023ce88e18e3074ef620a98137d26ff92a3 or update to a langchain version released after 2024-03-26. 2. Validate input: reject or strip XML DOCTYPE declarations and entity definitions at ingestion boundaries before passing to LangChain parsers. 3. Resource limits: configure memory and CPU caps on LangChain worker processes (e.g., via container resource limits, ulimit) to bound blast radius. 4. Detection: monitor for sudden CPU/memory spikes in LangChain services, especially correlated with document ingestion jobs. 5. Defense-in-depth: if XML ingestion is not needed, disable XML document loaders entirely in your LangChain configuration.

What systems are affected by CVE-2024-1455?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document ingestion pipelines, agent frameworks, LLM application backends.

What is the CVSS score for CVE-2024-1455?

CVE-2024-1455 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.11%.

Technical Details

NVD Description

A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

Exploitation Scenario

An attacker targeting an organization's AI-powered document analysis platform (built on LangChain) uploads a malicious XML file through a publicly accessible document upload endpoint. The XML contains a classic Billion Laughs payload — a root entity referencing 10 entities, each referencing 10 more, creating 10^10 expansions. LangChain's XML parser processes the file, triggering recursive entity resolution that exhausts available memory and CPU within seconds. The LangChain worker process crashes or becomes unresponsive, taking down the RAG ingestion pipeline and any dependent AI services. In a multi-tenant SaaS context, this could constitute a shared-infrastructure DoS affecting all customers on that worker node.