A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.

Affected Packages

npm langchain

Affected versions: 0 (fixed in 0.2.19)

Related CVEs

CVE-2024-7774

Key Information

GHSA ID

GHSA-hc5w-c9f8-9cc4

Published

October 29, 2024 3:32 PM

Last Modified

November 1, 2024 3:24 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

langchain

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 17, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.