CVE-2024-2965: 
Python vulnerability analysis and mitigation

A Denial-of-Service (DoS) vulnerability exists in the SitemapLoader class of the langchain-ai/langchain repository (CVE-2024-2965), affecting all versions prior to 0.2.5. The vulnerability was discovered and disclosed on June 6, 2024. The parse_sitemap method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself (NVD).

The vulnerability stems from the parse_sitemap method's implementation, which lacks proper depth control mechanisms. When processing sitemap URLs, the method can enter an infinite recursive loop if a sitemap references itself, leading to exceeding the maximum recursion depth in Python. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can lead to a Denial-of-Service condition by occupying server socket/port resources and ultimately causing the Python process to crash. This impacts the availability of services that rely on the SitemapLoader functionality (NVD).

A fix has been implemented that restricts the depth to which the sitemap can be parsed. The patch introduces a depth parameter and maximum depth check in the parse_sitemap method. Users should upgrade to version 0.2.5 or later to address this vulnerability (Github Commit).