CVE-2024-28088

2024-03-0300:00:00

mitre

github.com

langchain

directory traversal

api key disclosure

remote code execution

github repository

patch available

AI Score

7.6

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

total

JSON

LangChain through 0.1.10 allows …/ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*"
    ],
    "vendor": "langchain",
    "product": "langchain",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "custom",
        "lessThanOrEqual": "0.1.10"
      }
    ],
    "defaultStatus": "unknown"
  }
]