Skip to content

Guardrails AI vulnerable to Improper Restriction of XML External Entity Reference

Moderate severity GitHub Reviewed Published Jul 21, 2024 to the GitHub Advisory Database • Updated Aug 1, 2024

Package

pip guardrails-ai (pip)

Affected versions

< 0.5.0

Patched versions

0.5.0

Description

RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Guardrails users that consume RAIL documents from external sources are vulnerable to XXE, which may cause leakage of internal file data via the SYSTEM entity.

References

Published by the National Vulnerability Database Jul 21, 2024
Published to the GitHub Advisory Database Jul 21, 2024
Reviewed Jul 22, 2024
Last updated Aug 1, 2024

Severity

Moderate

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-6961

GHSA ID

GHSA-f8hx-f4xw-c646

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.