CVE-2024-7774: Langchain Path Traversal vulnerability
(updated )
A path traversal vulnerability exists in the getFullPath
method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read .txt
files, and delete files. The vulnerability is exploited through the setFileContent
, getParsedFile
, and mdelete
methods, which do not properly sanitize user input.
References
- github.com/advisories/GHSA-hc5w-c9f8-9cc4
- github.com/langchain-ai/langchainjs
- github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9
- github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-111.yaml
- huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee
- nvd.nist.gov/vuln/detail/CVE-2024-7774
Detect and mitigate CVE-2024-7774 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →