Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oNTl4LXA3MzktOTgyY84AA5ue

LangChain directory traversal vulnerability

LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.

Permalink: https://github.com/advisories/GHSA-h59x-p739-982c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNTl4LXA3MzktOTgyY84AA5ue
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 2 months ago
Updated: about 1 month ago


Identifiers: GHSA-h59x-p739-982c, CVE-2024-28088
References: Repository: https://github.com/PinkDraconian/PoC-Langchain-RCE
Blast Radius: 0.0

Affected Packages

pypi:langchain-core
Dependent packages: 6
Dependent repositories: 168
Downloads: 10,128,408 last month
Affected Version Ranges: >= 0, < 0.1.30
Fixed in: 0.1.30
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.23, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.28, 0.1.29
All unaffected versions: 0.1.30, 0.1.31, 0.1.32, 0.1.33, 0.1.34, 0.1.35, 0.1.36, 0.1.37, 0.1.38, 0.1.39, 0.1.40, 0.1.41, 0.1.42, 0.1.43, 0.1.44, 0.1.45
pypi:langchain
Dependent packages: 657
Dependent repositories: 18,663
Downloads: 7,571,683 last month
Affected Version Ranges: < 0.0.339
Fixed in: 0.0.339
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.20, 0.0.21, 0.0.22, 0.0.23, 0.0.24, 0.0.25, 0.0.26, 0.0.27, 0.0.28, 0.0.29, 0.0.30, 0.0.31, 0.0.32, 0.0.33, 0.0.34, 0.0.35, 0.0.36, 0.0.37, 0.0.38, 0.0.39, 0.0.40, 0.0.41, 0.0.42, 0.0.43, 0.0.44, 0.0.45, 0.0.46, 0.0.47, 0.0.48, 0.0.49, 0.0.50, 0.0.51, 0.0.52, 0.0.53, 0.0.54, 0.0.55, 0.0.56, 0.0.57, 0.0.58, 0.0.59, 0.0.60, 0.0.61, 0.0.63, 0.0.64, 0.0.65, 0.0.66, 0.0.67, 0.0.68, 0.0.69, 0.0.70, 0.0.71, 0.0.72, 0.0.73, 0.0.74, 0.0.75, 0.0.76, 0.0.77, 0.0.78, 0.0.79, 0.0.80, 0.0.81, 0.0.82, 0.0.83, 0.0.84, 0.0.85, 0.0.86, 0.0.87, 0.0.88, 0.0.89, 0.0.90, 0.0.91, 0.0.92, 0.0.93, 0.0.94, 0.0.95, 0.0.96, 0.0.97, 0.0.98, 0.0.99, 0.0.100, 0.0.101, 0.0.102, 0.0.103, 0.0.104, 0.0.105, 0.0.106, 0.0.107, 0.0.108, 0.0.109, 0.0.110, 0.0.111, 0.0.112, 0.0.113, 0.0.114, 0.0.115, 0.0.116, 0.0.117, 0.0.118, 0.0.119, 0.0.120, 0.0.121, 0.0.122, 0.0.123, 0.0.124, 0.0.125, 0.0.126, 0.0.127, 0.0.128, 0.0.129, 0.0.130, 0.0.131, 0.0.132, 0.0.133, 0.0.134, 0.0.135, 0.0.136, 0.0.137, 0.0.138, 0.0.139, 0.0.140, 0.0.141, 0.0.142, 0.0.143, 0.0.144, 0.0.145, 0.0.146, 0.0.147, 0.0.148, 0.0.149, 0.0.150, 0.0.151, 0.0.152, 0.0.153, 0.0.154, 0.0.155, 0.0.156, 0.0.157, 0.0.158, 0.0.159, 0.0.160, 0.0.161, 0.0.162, 0.0.163, 0.0.164, 0.0.165, 0.0.166, 0.0.167, 0.0.168, 0.0.169, 0.0.170, 0.0.171, 0.0.172, 0.0.173, 0.0.174, 0.0.175, 0.0.176, 0.0.177, 0.0.178, 0.0.179, 0.0.180, 0.0.181, 0.0.182, 0.0.183, 0.0.184, 0.0.185, 0.0.186, 0.0.187, 0.0.188, 0.0.189, 0.0.190, 0.0.191, 0.0.192, 0.0.193, 0.0.194, 0.0.195, 0.0.196, 0.0.197, 0.0.198, 0.0.199, 0.0.200, 0.0.201, 0.0.202, 0.0.203, 0.0.204, 0.0.205, 0.0.206, 0.0.207, 0.0.208, 0.0.209, 0.0.210, 0.0.211, 0.0.212, 0.0.213, 0.0.214, 0.0.215, 0.0.216, 0.0.217, 0.0.218, 0.0.219, 0.0.220, 0.0.221, 0.0.222, 0.0.223, 0.0.224, 0.0.225, 0.0.226, 0.0.227, 0.0.228, 0.0.229, 0.0.230, 0.0.231, 0.0.232, 0.0.233, 0.0.234, 0.0.235, 0.0.236, 0.0.237, 0.0.238, 0.0.239, 0.0.240, 0.0.242, 0.0.243, 0.0.244, 0.0.245, 0.0.246, 0.0.247, 0.0.248, 0.0.249, 0.0.250, 0.0.251, 0.0.252, 0.0.253, 0.0.254, 0.0.255, 0.0.256, 0.0.257, 0.0.258, 0.0.259, 0.0.260, 0.0.261, 0.0.262, 0.0.263, 0.0.264, 0.0.265, 0.0.266, 0.0.267, 0.0.268, 0.0.269, 0.0.270, 0.0.271, 0.0.272, 0.0.273, 0.0.274, 0.0.275, 0.0.276, 0.0.277, 0.0.278, 0.0.279, 0.0.281, 0.0.283, 0.0.284, 0.0.285, 0.0.286, 0.0.287, 0.0.288, 0.0.289, 0.0.290, 0.0.291, 0.0.292, 0.0.293, 0.0.294, 0.0.295, 0.0.296, 0.0.297, 0.0.298, 0.0.299, 0.0.300, 0.0.301, 0.0.302, 0.0.303, 0.0.304, 0.0.305, 0.0.306, 0.0.307, 0.0.308, 0.0.309, 0.0.310, 0.0.311, 0.0.312, 0.0.313, 0.0.314, 0.0.315, 0.0.316, 0.0.317, 0.0.318, 0.0.319, 0.0.320, 0.0.321, 0.0.322, 0.0.323, 0.0.324, 0.0.325, 0.0.326, 0.0.327, 0.0.329, 0.0.330, 0.0.331, 0.0.332, 0.0.333, 0.0.334, 0.0.335, 0.0.336, 0.0.337, 0.0.338
All unaffected versions: 0.0.339, 0.0.340, 0.0.341, 0.0.342, 0.0.343, 0.0.344, 0.0.345, 0.0.346, 0.0.347, 0.0.348, 0.0.349, 0.0.350, 0.0.351, 0.0.352, 0.0.353, 0.0.354, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16