Headline
GHSA-pw95-88fg-3j6f: Langroid Allows XXE Injection via XMLToolMessage
Summary
A LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.
Details
XMLToolMessage uses lxml without safeguards:
https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52
lxml is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default.
Check here: https://pypi.org/project/defusedxml/#python-xml-libraries
PoC
A typical Quadratic blowup XML payload looks like this:
<!DOCTYPE bomb [
<!ENTITY a "aaaaaaaaaa">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
]>
<bomb>&c;</bomb>
Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application.
Fix
Langroid 0.53.4 initializes XMLParser with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access.
https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3
Summary
A LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.
Details
XMLToolMessage uses lxml without safeguards:
https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52
lxml is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default.
Check here: https://pypi.org/project/defusedxml/#python-xml-libraries
PoC
A typical Quadratic blowup XML payload looks like this:
<!DOCTYPE bomb [ <!ENTITY a "aaaaaaaaaa"> <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;"> <!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> ]> <bomb>&c;</bomb>
Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application.
Fix
Langroid 0.53.4 initializes XMLParser with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access.
langroid/langroid@36e7e7d
References
- GHSA-pw95-88fg-3j6f
- langroid/langroid@36e7e7d
- https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52