Description
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)
Published: 2024-03-03
Score: 8.1 High
EPSS: 13.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h59x-p739-982c LangChain directory traversal vulnerability
History

Wed, 08 Jan 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Langchain
Langchain langchain
Weaknesses CWE-22
CPEs cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*
Vendors & Products Langchain
Langchain langchain

Mon, 26 Aug 2024 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-31
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Langchain Langchain
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-26T19:44:45.330Z

Reserved: 2024-03-03T00:00:00.000Z

Link: CVE-2024-28088

cve-icon Vulnrichment

Updated: 2024-08-02T00:48:48.940Z

cve-icon NVD

Status : Analyzed

Published: 2024-03-04T00:15:47.017

Modified: 2025-01-08T16:13:57.860

Link: CVE-2024-28088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses