CVE-2025-6984 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2025-6984 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-6984, increasing the risk of exploitation.

Q: How to fix CVE-2025-6984?

1. PATCH: Upgrade langchain-community to ≥0.3.27 immediately — the fix disables external entity resolution in etree.iterparse(). 2. AUDIT: Enumerate all uses of EverNoteLoader and any XML-parsing document loaders across your LangChain deployments. 3. INPUT VALIDATION: Reject .enex files from untrusted sources at API/upload boundaries before they reach the loader. 4. LEAST PRIVILEGE: Run LangChain processes with read-only mounts and no access to /etc, credential stores, ~/.aws, or .env files using container security contexts or seccomp profiles. 5. NETWORK EGRESS: Block outbound HTTP/file connections from application servers to prevent out-of-band XXE data exfiltration. 6. DETECTION: Alert on anomalous file read patterns in application logs (paths: /etc/passwd, /proc/self/environ, ~/.aws/credentials, *.env).

Q: What systems are affected by CVE-2025-6984?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document processing pipelines, agent frameworks, data ingestion pipelines.

Q: What is the CVSS score for CVE-2025-6984?

CVE-2025-6984 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.92%.

CISO Take

Any LangChain deployment ingesting Evernote files (.enex) from untrusted sources is vulnerable to local file disclosure via XXE — attackers can read /etc/passwd, .env files, and cloud credentials off the host. Patch langchain-community to 0.3.27 immediately. Until patched, treat all external Evernote file ingestion as a critical-risk operation and restrict filesystem access of the process running LangChain.

Risk Assessment

High severity with near-zero exploitation complexity — XXE payloads are trivially crafted and require no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS of 2% reflects limited active exploitation today, but LangChain's massive footprint in RAG and document processing pipelines makes this a high-value target with broad blast radius. Risk is elevated for organizations ingesting Evernote exports from third parties, customers, or automated workflows.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain-community	pip	< 0.3.27	`0.3.27`
135.7K OpenSSF 6.5 1.2K dependents Pushed 7d ago 80% patched ~48d to patch Full package profile →

Do you use langchain-community? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

1.9%

chance of exploitation in 30 days

Higher than 83% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

PATCH

Upgrade langchain-community to ≥0.3.27 immediately — the fix disables external entity resolution in etree.iterparse().
AUDIT

Enumerate all uses of EverNoteLoader and any XML-parsing document loaders across your LangChain deployments.
INPUT VALIDATION

Reject .enex files from untrusted sources at API/upload boundaries before they reach the loader.
LEAST PRIVILEGE

Run LangChain processes with read-only mounts and no access to /etc, credential stores, ~/.aws, or .env files using container security contexts or seccomp profiles.
NETWORK EGRESS

Block outbound HTTP/file connections from application servers to prevent out-of-band XXE data exfiltration.
DETECTION

Alert on anomalous file read patterns in application logs (paths: /etc/passwd, /proc/self/environ, ~/.aws/credentials, *.env).

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework RAG AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.2 - Treatments, responses, and chosen actions are documented and monitored regularly

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-6984?

Any LangChain deployment ingesting Evernote files (.enex) from untrusted sources is vulnerable to local file disclosure via XXE — attackers can read /etc/passwd, .env files, and cloud credentials off the host. Patch langchain-community to 0.3.27 immediately. Until patched, treat all external Evernote file ingestion as a critical-risk operation and restrict filesystem access of the process running LangChain.

Is CVE-2025-6984 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-6984, increasing the risk of exploitation.

How to fix CVE-2025-6984?

1. PATCH: Upgrade langchain-community to ≥0.3.27 immediately — the fix disables external entity resolution in etree.iterparse(). 2. AUDIT: Enumerate all uses of EverNoteLoader and any XML-parsing document loaders across your LangChain deployments. 3. INPUT VALIDATION: Reject .enex files from untrusted sources at API/upload boundaries before they reach the loader. 4. LEAST PRIVILEGE: Run LangChain processes with read-only mounts and no access to /etc, credential stores, ~/.aws, or .env files using container security contexts or seccomp profiles. 5. NETWORK EGRESS: Block outbound HTTP/file connections from application servers to prevent out-of-band XXE data exfiltration. 6. DETECTION: Alert on anomalous file read patterns in application logs (paths: /etc/passwd, /proc/self/environ, ~/.aws/credentials, *.env).

What systems are affected by CVE-2025-6984?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, document processing pipelines, agent frameworks, data ingestion pipelines.

What is the CVSS score for CVE-2025-6984?

CVE-2025-6984 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 1.92%.

Technical Details

NVD Description

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.

Exploitation Scenario

An attacker uploads a crafted Evernote export file to a RAG-based document ingestion endpoint. The .enex file embeds an XXE payload: <!DOCTYPE foo [<!ENTITY xxe SYSTEM 'file:///etc/passwd'>]> referencing a local file. When EverNoteLoader processes it via unpatched etree.iterparse(), the external entity resolves and injects /etc/passwd contents into the parsed document. The attacker reads the exfiltrated data through the application response or infers it via error messages. They then iterate through high-value paths (/proc/self/environ, ~/.aws/credentials, /run/secrets/) to harvest cloud credentials. On a Kubernetes pod or cloud VM, this yields IAM tokens sufficient for lateral movement into the broader cloud environment.