CVE-2025-6853: Langchain-Chatchat has a Path Traversal vulnerability

June 29, 2025 (updated September 16, 2025)

A vulnerability classified as critical has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This affects the function upload_temp_docs of the file /knowledge_base/upload_temp_docs of the component Backend. The manipulation of the argument flag leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

References

github.com/advisories/GHSA-qmgv-j263-qr33
github.com/chatchat-space/Langchain-Chatchat
github.com/chatchat-space/Langchain-Chatchat/issues/5352
nvd.nist.gov/vuln/detail/CVE-2025-6853
vuldb.com/?ctiid.314325
vuldb.com/?id.314325
vuldb.com/?submit.601155

Code Behaviors & Features

Detect and mitigate CVE-2025-6853 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →