CRITICAL🇵🇱 Wersja polska

CVE-2024-7774

CVSS 9.1v3.1pub. 2024-10-29upd. 2025-05-28

A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Langchain Langchain.js

    APP
    Langchain
    0.2.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2025-68665HIGH8.6ten sam produkt

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1...

CVE-2025-68664CRITICAL9.3PL ✓ten sam vendor

Podatność deserialization injection w funkcjach dumps/dumpd LangChain Core

CVE-2025-2828CRITICAL10.0PL ✓ten sam vendor

SSRF w LangChain RequestsToolkit — dostęp do sieci wewnętrznej i metadanych chmury

CVE-2024-7042CRITICAL9.8PL ✓ten sam vendor

SQL injection przez prompt injection w LangChain GraphCypherQAChain

CVE-2024-8309CRITICAL9.8PL ✓ten sam vendor

SQL injection przez prompt injection w LangChain GraphCypherQAChain