4 matches found
CVE-2024-28088
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a loadchain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure...
agent-actors (=0.1.0), agent-lab-sdk (>=0.1.7 <=0.1.16) +309 more potentially affected by CVE-2024-28088 via langchain (>=0.0.100 <=0.0.338)
langchain PYPI version =0.0.100, =0.1.7, =0.2.1, =0.1.0, =0.1.0, =0.1.5, =0.0.2, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.1.8, =0.0.5, =0.0.14, =0.0.18 and more Source cves: CVE-2024-28088 Source advisory: OSV:GHSA-H59X-P739-982C...
a-data-processing (=0.0.1), ab-data-processing (=0.0.1) +400 more potentially affected by CVE-2024-28088 via langchain (>=0.0.100 <=0.1.10)
langchain PYPI version =0.0.100, =0.1.7, =0.2.1, =0.1.0, =0.1.0, =0.1.5, =0.0.2, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.8 - airda =0.0.3 and more Source cves: CVE-2024-28088 Source advisory: OSV:PYSEC-2024-43...
CVE-2024-28088
Summary: CVE-2024-28088 affects LangChain prior to 0.1.29. Through the load_chain call, an attacker who can control the final segment of the path can cause directory traversal ("....") and bypass loading configurations from the langchain-hub repo. This can lead to disclosure of secrets (e.g., API...