To address and fix CVE-2025-6985 for XXE Vulnerability in langchain-text-splitters (#1774)

justjais · web-flow · commit 2527c521f8d7 · 2025-10-14T16:11:56.000+05:30
* fix CVE-2025-6985 for XXE Vulnerability in langchain-text-splitters * update n skip pip-audit social-auth-app-django vulnerability issue * fix pip compile
diff --git a/.github/workflows/pip_audit.yml b/.github/workflows/pip_audit.yml
@@ -68,3 +68,6 @@ jobs:
             # pip 25.3 is not released yet
             # See: https://github.com/advisories/GHSA-4xh5-x5gv-qwph
             GHSA-4xh5-x5gv-qwph
+            # To remove once we upgrade to Django 5+ (requires major version upgrade)
+            # social-auth-app-django vulnerability requires Django>=5.1
+            GHSA-wv4w-6qv2-qqfg
diff --git a/pyproject.toml b/pyproject.toml
@@ -30,6 +30,7 @@ dependencies = [
   'jinja2~=3.1.6',
   'langchain~=0.3.10',
   'langchain-ollama~=0.3.5',
+  'langchain-text-splitters~=0.3.11',
   'launchdarkly-server-sdk~=8.3.0',
   'llama-stack-client>=0.2.12',
   'protobuf~=5.29.5',
diff --git a/requirements-aarch64.txt b/requirements-aarch64.txt
@@ -253,15 +253,17 @@ jwcrypto==1.5.6
     #   django-oauth-toolkit
 langchain==0.3.26
     # via -r requirements.in
-langchain-core==0.3.69
+langchain-core==0.3.79
     # via
     #   langchain
     #   langchain-ollama
     #   langchain-text-splitters
 langchain-ollama==0.3.5
     # via -r requirements.in
-langchain-text-splitters==0.3.8
-    # via langchain
+langchain-text-splitters==0.3.11
+    # via
+    #   -r requirements.in
+    #   langchain
 langsmith==0.4.8
     # via
     #   langchain
diff --git a/requirements-x86_64.txt b/requirements-x86_64.txt
@@ -253,15 +253,17 @@ jwcrypto==1.5.6
     #   django-oauth-toolkit
 langchain==0.3.26
     # via -r requirements.in
-langchain-core==0.3.69
+langchain-core==0.3.79
     # via
     #   langchain
     #   langchain-ollama
     #   langchain-text-splitters
 langchain-ollama==0.3.5
     # via -r requirements.in
-langchain-text-splitters==0.3.8
-    # via langchain
+langchain-text-splitters==0.3.11
+    # via
+    #   -r requirements.in
+    #   langchain
 langsmith==0.4.8
     # via
     #   langchain
diff --git a/requirements.in b/requirements.in
@@ -47,6 +47,8 @@ jinja2==3.1.6
 jsonpickle==3.3.0
 langchain==0.3.26
 langchain-ollama==0.3.5
+# CVE-2025-6985: XXE Vulnerability fixed in 0.3.9+
+langchain-text-splitters==0.3.11
 launchdarkly-server-sdk==8.3.0
 llama-stack-client>=0.2.12
 protobuf==5.29.5
