PYSEC-2026-2561

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/langchain-community/PYSEC-2026-2561.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2561
Aliases
Published
2026-07-13T14:36:32.210054Z
Modified
2026-07-13T16:43:37.506313050Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of service in langchain-community
Details

Denial of service in SitemapLoader Document Loader in the langchain-community package, affecting versions below 0.2.5. The parse_sitemap method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

References

Affected packages

PyPI / langchain-community

Package

Name
langchain-community
View open source insights on deps.dev
Purl
pkg:pypi/langchain-community

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.2.5

Affected versions

0.*
0.0.1rc1
0.0.1rc2
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32
0.0.33
0.0.34
0.0.35
0.0.36
0.0.37
0.0.38
0.2.0rc1
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/langchain-community/PYSEC-2026-2561.yaml"