langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.

Affected Packages

PyPI langchain

Affected versions: 0 (fixed in 0.0.353)

Related CVEs

CVE-2024-3571

Key Information

GHSA ID

GHSA-rgp8-pm28-3759

Published

April 16, 2024 12:30 AM

Last Modified

April 16, 2024 6:26 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

langchain

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 17, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.