VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 16, 2024· Updated Aug 1, 2024

Path Traversal in langchain-ai/langchain

CVE-2024-3571

Description

langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

LangChain's LocalFileStore has a path traversal vulnerability allowing arbitrary file read/write via unsanitized keys in mset/mget methods.

Vulnerability

CVE-2024-3571 is a path traversal vulnerability in langchain-ai/langchain's LocalFileStore functionality. The core issue lies in the improper handling of file paths within the mset and mget methods. User-supplied keys are not adequately sanitized, allowing directory traversal sequences (e.g., ../) to reach directories outside the intended root path [1].

Exploitation

An attacker can exploit this by providing crafted keys such as /etc/passwd or ../../etc/shadow to the mset or mget methods. The attacker does not require special privileges beyond the ability to interact with the LocalFileStore API. The lack of validation on key paths enables arbitrary file read and write operations on the underlying filesystem [3].

Impact

Successful exploitation can lead to information disclosure by reading sensitive files, or remote code execution if the attacker writes executable files (e.g., scripts) to appropriate locations. This poses a critical risk to applications using LangChain's LocalFileStore for caching or storage [1][4].

Mitigation

The vulnerability has been addressed in commit aad3d8b, which ensures that the root path is absolute and that any resolved full path shares the same common path as the root. Users should upgrade to a patched version immediately. For those unable to upgrade, alternative file stores or additional input validation are recommended [3].

References
  1. NVD - CVE-2024-3571
  2. langchain(patch): Restrict paths in LocalFileStore cache (#15065) · langchain-ai/langchain@aad3d8b
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
langchainPyPI
< 0.0.3530.0.353

Affected products

2
  • ghsa-coords
    pkg:pypi/langchain
    Range: < 0.0.353
  • langchain-ai/langchain-ai/langchainv5
    Range: unspecified

Patches

1
aad3d8bd47d7

langchain(patch): Restrict paths in LocalFileStore cache (#15065)

https://github.com/langchain-ai/langchainEugene YurtsevDec 22, 2023via ghsa
commit
2 files changed · +34 2
  • libs/langchain/langchain/storage/file_system.py+11 2 modified
    @@ -1,3 +1,4 @@
+import os
 import re
 from pathlib import Path
 from typing import Iterator, List, Optional, Sequence, Tuple, Union
@@ -42,7 +43,7 @@ def __init__(self, root_path: Union[str, Path]) -> None:
             root_path (Union[str, Path]): The root path of the file store. All keys are
                 interpreted as paths relative to this root.
         """
-        self.root_path = Path(root_path)
+        self.root_path = Path(root_path).absolute()
 
     def _get_full_path(self, key: str) -> Path:
         """Get the full path for a given key relative to the root path.
@@ -55,7 +56,15 @@ def _get_full_path(self, key: str) -> Path:
         """
         if not re.match(r"^[a-zA-Z0-9_.\-/]+$", key):
             raise InvalidKeyException(f"Invalid characters in key: {key}")
-        return self.root_path / key
+        full_path = os.path.abspath(self.root_path / key)
+        common_path = os.path.commonpath([str(self.root_path), full_path])
+        if common_path != str(self.root_path):
+            raise InvalidKeyException(
+                f"Invalid key: {key}. Key should be relative to the full path."
+                f"{self.root_path} vs. {common_path} and full path of {full_path}"
+            )
+
+        return Path(full_path)
 
     def mget(self, keys: Sequence[str]) -> List[Optional[bytes]]:
         """Get the values associated with the given keys.
  • libs/langchain/tests/unit_tests/storage/test_filesystem.py+23 0 modified
    @@ -77,3 +77,26 @@ def test_yield_keys(file_store: LocalFileStore) -> None:
     # Assert that the yielded keys match the expected keys
     expected_keys = ["key1", os.path.join("subdir", "key2")]
     assert keys == expected_keys
+
+
+def test_catches_forbidden_keys(file_store: LocalFileStore) -> None:
+    """Make sure we raise exception on keys that are not allowed; e.g., absolute path"""
+    with pytest.raises(InvalidKeyException):
+        file_store.mset([("/etc", b"value1")])
+    with pytest.raises(InvalidKeyException):
+        list(file_store.yield_keys("/etc/passwd"))
+    with pytest.raises(InvalidKeyException):
+        file_store.mget(["/etc/passwd"])
+
+    # check relative paths
+    with pytest.raises(InvalidKeyException):
+        list(file_store.yield_keys(".."))
+
+    with pytest.raises(InvalidKeyException):
+        file_store.mget(["../etc/passwd"])
+
+    with pytest.raises(InvalidKeyException):
+        file_store.mset([("../etc", b"value1")])
+
+    with pytest.raises(InvalidKeyException):
+        list(file_store.yield_keys("../etc/passwd"))

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.