CVE-2024-28088

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-28088

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28088.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-28088

Aliases

Published

2024-03-03T00:00:00Z

Modified

2026-05-20T04:02:02.568563171Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)

Database specific

{
    "cna_assigner": "mitre",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28088.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "0.1.10"
                }
            ],
            "source": "DESCRIPTION"
        }
    ]
}

References

Affected packages

Git / github.com/langchain-ai/langchain

Affected ranges

Type

GIT

Repo

https://github.com/langchain-ai/langchain

Events

Introduced

Fixed

873d06c009409560d52cde3f1a2b39f268319112

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.1.12"
        }
    ],
    "source": "CPE_FIELD",
    "cpe": "cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*"
}

Affected versions

v0.*

v0.0.1

v0.0.100

v0.0.101

v0.0.102

v0.0.103

v0.0.104

v0.0.105

v0.0.106

v0.0.107

v0.0.108

v0.0.109

v0.0.110

v0.0.111

v0.0.112

v0.0.113

v0.0.114

v0.0.115

v0.0.116

v0.0.117

v0.0.118

v0.0.119

v0.0.120

v0.0.121

v0.0.122

v0.0.123

v0.0.124

v0.0.125

v0.0.126

v0.0.127

v0.0.128

v0.0.129

v0.0.130

v0.0.131

v0.0.132

v0.0.133

v0.0.134

v0.0.135

v0.0.136

v0.0.137

v0.0.138

v0.0.139

v0.0.140

v0.0.141

v0.0.142

v0.0.143

v0.0.144

v0.0.145

v0.0.146

v0.0.147

v0.0.149

v0.0.150

v0.0.151

v0.0.152

v0.0.153

v0.0.154

v0.0.155

v0.0.156

v0.0.157

v0.0.158

v0.0.159

v0.0.160

v0.0.161

v0.0.162

v0.0.163

v0.0.164

v0.0.165

v0.0.166

v0.0.167

v0.0.168

v0.0.169

v0.0.170

v0.0.171

v0.0.172

v0.0.173

v0.0.174

v0.0.175

v0.0.177

v0.0.178

v0.0.179

v0.0.180

v0.0.181

v0.0.182

v0.0.183

v0.0.184

v0.0.185

v0.0.186

v0.0.187

v0.0.188

v0.0.189

v0.0.190

v0.0.191

v0.0.192

v0.0.193

v0.0.194

v0.0.195

v0.0.196

v0.0.197

v0.0.198

v0.0.199

v0.0.1rc0

v0.0.1rc1

v0.0.1rc2

v0.0.1rc3

v0.0.1rc4

v0.0.2

v0.0.200

v0.0.201

v0.0.202

v0.0.204

v0.0.205

v0.0.206

v0.0.207

v0.0.208

v0.0.209

v0.0.210

v0.0.211

v0.0.212

v0.0.213

v0.0.214

v0.0.215

v0.0.216

v0.0.217

v0.0.218

v0.0.219

v0.0.220

v0.0.221

v0.0.222

v0.0.223

v0.0.224

v0.0.225

v0.0.226

v0.0.227

v0.0.228

v0.0.229

v0.0.230

v0.0.231

v0.0.232

v0.0.233

v0.0.234

v0.0.235

v0.0.236

v0.0.237

v0.0.238

v0.0.239

v0.0.240

v0.0.240rc0

v0.0.240rc1

v0.0.240rc4

v0.0.242

v0.0.243

v0.0.244

v0.0.245

v0.0.247

v0.0.248

v0.0.249

v0.0.250

v0.0.251

v0.0.252

v0.0.253

v0.0.254

v0.0.255

v0.0.256

v0.0.257

v0.0.258

v0.0.259

v0.0.260

v0.0.261

v0.0.262

v0.0.263

v0.0.264

v0.0.265

v0.0.266

v0.0.267

v0.0.268

v0.0.269

v0.0.270

v0.0.271

v0.0.272

v0.0.273

v0.0.274

v0.0.275

v0.0.276

v0.0.277

v0.0.278

v0.0.279

v0.0.281

v0.0.283

v0.0.284

v0.0.285

v0.0.286

v0.0.287

v0.0.288

v0.0.289

v0.0.290

v0.0.291

v0.0.292

v0.0.293

v0.0.294

v0.0.295

v0.0.296

v0.0.297

v0.0.298

v0.0.299

v0.0.300

v0.0.301

v0.0.302

v0.0.303

v0.0.304

v0.0.305

v0.0.306

v0.0.307

v0.0.308

v0.0.309

v0.0.310

v0.0.311

v0.0.312

v0.0.313

v0.0.314

v0.0.315

v0.0.316

v0.0.317

v0.0.318

v0.0.319

v0.0.320

v0.0.321

v0.0.322

v0.0.323

v0.0.324

v0.0.325

v0.0.326

v0.0.327

v0.0.329

v0.0.330

v0.0.331

v0.0.331rc0

v0.0.331rc1

v0.0.331rc2

v0.0.331rc3

v0.0.332

v0.0.333

v0.0.334

v0.0.335

v0.0.336

v0.0.337

v0.0.338

v0.0.339

v0.0.339rc0

v0.0.339rc1

v0.0.339rc2

v0.0.339rc3

v0.0.340

v0.0.341

v0.0.342

v0.0.343

v0.0.344

v0.0.345

v0.0.346

v0.0.347

v0.0.348

v0.0.349

v0.0.349-rc.1

v0.0.349-rc.2

v0.0.350

v0.0.351

v0.0.352

v0.0.353

v0.0.354

v0.0.4

v0.0.5

v0.0.64

v0.0.65

v0.0.66

v0.0.67

v0.0.68

v0.0.69

v0.0.70

v0.0.71

v0.0.72

v0.0.73

v0.0.74

v0.0.75

v0.0.76

v0.0.77

v0.0.78

v0.0.79

v0.0.80

v0.0.81

v0.0.82

v0.0.83

v0.0.84

v0.0.85

v0.0.86

v0.0.87

v0.0.88

v0.0.89

v0.0.90

v0.0.91

v0.0.92

v0.0.93

v0.0.94

v0.0.95

v0.0.96

v0.0.97

v0.0.98

v0.0.99

v0.1.0

v0.1.1

v0.1.10

v0.1.11

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28088.json"