Cradicle Explorer
ai-agents-security_AI-Infra-Guard
/ data / vuln_en / langchain / CVE-2024-7774.yaml
CVE-2024-7774.yaml
 1  info:
 2    name: langchain
 3    cve: CVE-2024-7774
 4    summary: Langchain Path Traversal vulnerability
 5    details: |
 6      A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. 
 7      This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, 
 8      read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, 
 9      `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.
10    cvss: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
11    severity: MEDIUM
12    security_advise: |
13      1. Upgrade to langchainjs version 0.2.19 or higher.
14      2. Review and sanitize all user inputs to prevent path traversal attacks.
15      3. Implement strict file access controls to limit file operations.
16  rule: version >= "0" && version < "0.2.19"
17  references:
18    - https://nvd.nist.gov/vuln/detail/CVE-2024-7774
19    - https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9
20    - https://github.com/langchain-ai/langchainjs
21    - https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-111.yaml
22    - https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee