PyPI: langchain

CVE-2024-28088

Safety vulnerability ID: SFTY-20240304-63735

Safety legacy ID: pyup.io-66051

Affected versions of the LangChain package are vulnerable to Path Traversal due to improper sanitization of the path parameter in the `load_chain` call. The `load_chain` function allows user input to manipulate the final part of the path, enabling traversal outside the intended directory scope. An attacker can exploit this by crafting a path that accesses sensitive files, potentially leading to Information Disclosure of API keys or even Remote Code Execution if malicious scripts are executed.

PythonPyPINVDNVDGitHubGHSA
Created at: Jan 6, 2026Updated at: Jan 6, 2026

Overview

LangChain directory traversal vulnerability

Advisory

Affected versions of the LangChain package are vulnerable to Path Traversal due to improper sanitization of the path parameter in the `load_chain` call. The `load_chain` function allows user input to manipulate the final part of the path, enabling traversal outside the intended directory scope. An attacker can exploit this by crafting a path that accesses sensitive files, potentially leading to Information Disclosure of API keys or even Remote Code Execution if malicious scripts are executed.

Affected Package

Affecting langchain package, versions
>=0.0.75,<=0.0.340

Also affects

---

How to Fix

Upgrade
langchain
to
0.0.341
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more