CVE-2025-6853.yaml
1 info: 2 name: langchain 3 cve: CVE-2025-6853 4 summary: Path traversal vulnerability in Langchain-Chatchat's upload_temp_docs function 5 details: | 6 The vulnerability allows remote attackers to exploit path traversal via the `flag` argument in the `upload_temp_docs` function of the Backend component (file: `/knowledge_base/upload_temp_docs`). This affects versions up to 0.3.1, enabling unauthorized file access or modification. 7 cvss: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 8 severity: HIGH 9 security_advise: | 10 1. Upgrade to Langchain-Chatchat version 0.3.2 or later 11 2. Implement strict input validation for the `flag` parameter 12 3. Restrict file system access permissions for the affected component 13 rule: version > "0" && version < "0.3.2" 14 references: 15 - https://nvd.nist.gov/vuln/detail/CVE-2025-6853 16 - https://github.com/chatchat-space/Langchain-Chatchat/issues/5352 17 - https://vuldb.com/?ctiid.314325 18 - https://vuldb.com/?id.314325 19 - https://vuldb.com/?submit.601155