GHSA-hc5w-c9f8-9cc4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hc5w-c9f8-9cc4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-hc5w-c9f8-9cc4/GHSA-hc5w-c9f8-9cc4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-hc5w-c9f8-9cc4
- Aliases
- Related
- Published
- 2024-10-29T15:32:05Z
- Modified
- 2024-11-04T22:12:13.588171Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Langchain Path Traversal vulnerability
- Details
-
A path traversal vulnerability exists in the
getFullPathmethod of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read.txtfiles, and delete files. The vulnerability is exploited through thesetFileContent,getParsedFile, andmdeletemethods, which do not properly sanitize user input. - Database specific
{ "nvd_published_at": "2024-10-29T13:15:09Z", "cwe_ids": [ "CWE-22", "CWE-29" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-10-29T19:40:07Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-7774
- https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9
- https://github.com/langchain-ai/langchainjs
- https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-111.yaml
- https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee
Affected packages
npm / langchain
Package
- Name
- langchain
- View open source insights on deps.dev
- Purl
- pkg:npm/langchain