GHSA-pw95-88fg-3j6f
Langroid Allows XXE Injection via XMLToolMessage
Details
### Summary A LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.
### Details `XMLToolMessage` uses `lxml` without safeguards: https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52 `lxml` is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. Check here: https://pypi.org/project/defusedxml/#python-xml-libraries
### PoC A typical Quadratic blowup XML payload looks like this: ```xml <!DOCTYPE bomb [ <!ENTITY a "aaaaaaaaaa"> <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> ]> <bomb>&c;</bomb> ``` Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application. ### Fix Langroid 0.53.4 initializes `XMLParser` with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access. https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-46726 [ADVISORY]
- https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3 [WEB]
- https://github.com/langroid/langroid [PACKAGE]
- https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52 [WEB]