langchain_community-0.3.7-py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5) unreachable

[mend-for-github-com]

Vulnerable Library - langchain_community-0.3.7-py3-none-any.whl

Community contributed LangChain integrations.

Library home page: https://files.pythonhosted.org/packages/cc/19/f8af1cdefe326730ae02bd653f7382693153baf0bac7a69537d7811cad5f/langchain_community-0.3.7-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260219120409_AEEMWL/python_IKDEBG/20260219120410/langchain_community-0.3.7-py3-none-any.whl

Found in HEAD commit: c2a0de4212c13487918a46a2935ca84031dd91aa

Vulnerabilities

Vulnerability	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (langchain_community version)	Remediation Possible**	Reachability
CVE-2025-6984	High	7.5	Not Defined	0.0%	langchain_community-0.3.7-py3-none-any.whl	Direct	0.3.27	✅	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-6984

Vulnerable Library - langchain_community-0.3.7-py3-none-any.whl

Community contributed LangChain integrations.

Library home page: https://files.pythonhosted.org/packages/cc/19/f8af1cdefe326730ae02bd653f7382693153baf0bac7a69537d7811cad5f/langchain_community-0.3.7-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260219120409_AEEMWL/python_IKDEBG/20260219120410/langchain_community-0.3.7-py3-none-any.whl

Dependency Hierarchy:

• ❌ langchain_community-0.3.7-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: c2a0de4212c13487918a46a2935ca84031dd91aa

Found in base branch: main

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing. The affected version is 0.3.63. The vulnerability arises from the use of etree.iterparse() without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as /etc/passwd.

Publish Date: 2025-09-04

URL: CVE-2025-6984

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-09-04

Fix Resolution: 0.3.27

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.