AIKIDO-2025-10501
langchain-text-splitters is vulnerable to XML External Entity (XXE) Attack
91
Critical Risk
This Affects:
langchain-text-splittersTL;DR
Affected versions of this package are vulnerable to XML External Entity (XXE) attacks due to insecure handling of XML in the HTMLSectionSplitter component. This vulnerability allows attackers to read sensitive local files (such as SSH keys, passwords, or configuration files), perform server-side request forgery (SSRF), and exfiltrate data to external servers. The issue stems from the use of the xslt_path parameter and insecure parser configurations. The fix removes the xslt_path parameter and hardens the XML/HTML parsers with secure settings.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
langchain-text-splitters is vulnerable to XML External Entity (XXE) Attack in versions 0.3.8 - 0.3.8.
How to fix this
Upgrade the langchain-text-splitters library to a patch version.
Links
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant