GHSA-rgp8-pm28-3759: langchain vulnerable to path traversal

Skip to content

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-3571

langchain vulnerable to path traversal

Moderate severity GitHub Reviewed Published Apr 16, 2024 to the GitHub Advisory Database • Updated Apr 16, 2024

Package

pip langchain (pip)

Affected versions

< 0.0.353

Description

langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory (‘Path Traversal’) in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-3571
• langchain-ai/langchain@aad3d8b
• https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8

Published to the GitHub Advisory Database

Apr 16, 2024

Last updated

Apr 16, 2024