CVE-2024-2965 — MEDIUM (CVSS 4.2) AI Security Vulnerability

Q: Is CVE-2024-2965 actively exploited?

No confirmed active exploitation of CVE-2024-2965 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2024-2965?

1) Patch: Upgrade langchain and langchain-community to >= 0.2.5 — this is the only complete fix. 2) Audit: Grep codebase for SitemapLoader usage and determine whether URLs are user-controlled or hardcoded. 3) Workaround (if patching is delayed): Wrap parse_sitemap calls in try/except RecursionError with circuit-breaker logic, or enforce a URL allowlist for permitted sitemaps. 4) Detect: Alert on RecursionError exceptions in AI service logs — unexpected occurrences may indicate active exploitation attempts. 5) Dependency scanning: Add langchain-community to SCA tooling with a fail-build rule for versions < 0.2.5.

Q: What systems are affected by CVE-2024-2965?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, document processing pipelines.

Q: What is the CVSS score for CVE-2024-2965?

CVE-2024-2965 has a CVSS v3.1 base score of 4.2 (MEDIUM). The EPSS exploitation probability is 0.04%.

CISO Take

If your LangChain-based application uses SitemapLoader with user-controlled URLs, an attacker can crash the Python process by submitting a self-referencing sitemap — taking the service offline. Upgrade langchain-community to 0.2.5 or later. Low urgency for environments where sitemap URLs are hardcoded or admin-controlled; high urgency for multi-tenant or user-driven data ingestion pipelines.

Risk Assessment

Low-to-medium real-world risk. CVSS 4.2 with AV:P reflects conservative NVD scoring, but any deployment accepting user-supplied sitemap URLs is effectively remotely exploitable. EPSS of 0.00038 and absence from CISA KEV confirm no observed in-the-wild exploitation. Primary impact is availability: a single malicious input can crash the entire AI service process. Risk multiplies in multi-tenant architectures where one user can affect all others.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	>= 0, < 0.2.5	`0.2.5`
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →
langchain-community	pip	< 0.2.5	`0.2.5`
135.7K OpenSSF 6.5 1.2K dependents Pushed 7d ago 80% patched ~48d to patch Full package profile →

Severity & Risk

CVSS 3.1

4.2 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Physical

AC High

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

1 step

1) Patch: Upgrade langchain and langchain-community to >= 0.2.5 — this is the only complete fix. 2) Audit: Grep codebase for SitemapLoader usage and determine whether URLs are user-controlled or hardcoded. 3) Workaround (if patching is delayed): Wrap parse_sitemap calls in try/except RecursionError with circuit-breaker logic, or enforce a URL allowlist for permitted sitemaps. 4) Detect: Alert on RecursionError exceptions in AI service logs — unexpected occurrences may indicate active exploitation attempts. 5) Dependency scanning: Add langchain-community to SCA tooling with a fail-build rule for versions < 0.2.5.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Supply Chain Framework RAG AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

Clause 8 - Operation

NIST AI RMF

MANAGE-2.2 - Mechanisms to address identified AI risks

OWASP LLM Top 10

LLM04 - Model Denial of Service LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-2965?

If your LangChain-based application uses SitemapLoader with user-controlled URLs, an attacker can crash the Python process by submitting a self-referencing sitemap — taking the service offline. Upgrade langchain-community to 0.2.5 or later. Low urgency for environments where sitemap URLs are hardcoded or admin-controlled; high urgency for multi-tenant or user-driven data ingestion pipelines.

Is CVE-2024-2965 actively exploited?

No confirmed active exploitation of CVE-2024-2965 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-2965?

1) Patch: Upgrade langchain and langchain-community to >= 0.2.5 — this is the only complete fix. 2) Audit: Grep codebase for SitemapLoader usage and determine whether URLs are user-controlled or hardcoded. 3) Workaround (if patching is delayed): Wrap parse_sitemap calls in try/except RecursionError with circuit-breaker logic, or enforce a URL allowlist for permitted sitemaps. 4) Detect: Alert on RecursionError exceptions in AI service logs — unexpected occurrences may indicate active exploitation attempts. 5) Dependency scanning: Add langchain-community to SCA tooling with a fail-build rule for versions < 0.2.5.

What systems are affected by CVE-2024-2965?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, document processing pipelines.

What is the CVSS score for CVE-2024-2965?

CVE-2024-2965 has a CVSS v3.1 base score of 4.2 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

Denial of service in `SitemapLoader` Document Loader in the `langchain-community` package, affecting versions below 0.2.5. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

Exploitation Scenario

An adversary targeting a RAG-powered product that allows users to specify external documentation sources submits a URL pointing to a crafted sitemap.xml that references itself (e.g., <sitemap><loc>https://attacker.com/sitemap.xml</loc></sitemap>). LangChain's SitemapLoader fetches it and calls parse_sitemap recursively with no depth limit or cycle detection. After ~1000 recursive calls, Python raises RecursionError and the process crashes. In a shared SaaS environment, this takes down the service for all tenants simultaneously. Attacker effort: minimal — a single HTTP request with a self-referencing sitemap is sufficient.