PyPI: langchain
CVE-2024-3571
Safety vulnerability ID: SFTY-20240416-22286
Safety legacy ID: pyup.io-71615
Affected versions of the langchain package are vulnerable to Path Traversal due to improper limitation of a pathname to a restricted directory in the langchain.storage.file_system.LocalFileStore component. The langchain.storage.file_system.LocalFileStore.mset and mget methods derive filesystem paths from a user-supplied key without ensuring the resolved path remains within the configured root, permitting absolute paths to escape the intended directory.
Overview
langchain vulnerable to path traversal
Advisory
Affected versions of the langchain package are vulnerable to Path Traversal due to improper limitation of a pathname to a restricted directory in the langchain.storage.file_system.LocalFileStore component. The langchain.storage.file_system.LocalFileStore.mset and mget methods derive filesystem paths from a user-supplied key without ensuring the resolved path remains within the configured root, permitting absolute paths to escape the intended directory.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240416-22286/CVE-2024-3571
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3571
- https://github.com/langchain-ai/langchain/commit/aad3d8bd47d7f5598156ff2bdcc8f736f24a7412
- https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8
- https://nvd.nist.gov/vuln/detail/CVE-2024-3571
- https://github.com/langchain-ai/langchain/commit/aad3d8bd47d7f5598156ff2bdcc8f736f24a7412
- https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8
- https://github.com/advisories/GHSA-rgp8-pm28-3759
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more