Moderate severityNVD Advisory· Published Oct 29, 2024· Updated Oct 29, 2024
Path Traversal in langchain-ai/langchainjs
CVE-2024-7774
Description
A path traversal vulnerability exists in the getFullPath method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read .txt files, and delete files. The vulnerability is exploited through the setFileContent, getParsedFile, and mdelete methods, which do not properly sanitize user input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langchainnpm | < 0.2.19 | 0.2.19 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/kibana-8pkg:apk/chainguard/kibana-8-bitnamipkg:apk/chainguard/kibana-8-iamguardedpkg:npm/langchain
< 8.16.1-r1+ 3 more
- (no CPE)range: < 8.16.1-r1
- (no CPE)range: < 8.16.1-r1
- (no CPE)range: < 8.16.1-r1
- (no CPE)range: < 0.2.19
- Range: unspecified
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-hc5w-c9f8-9cc4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-7774ghsaADVISORY
- github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-111.yamlghsaWEB
- huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628ceeghsaWEB
News mentions
0No linked articles in our index yet.