References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Known Affected Software Configurations Switch to CPE 2.2

Change History

OR
     *cpe:2.3:a:langchain:langchain:0.2.5:*:*:*:*:*:*:*

NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

NIST CWE-22

https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9 No Types Assigned

https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9 Patch

https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee No Types Assigned

https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee Exploit, Third Party Advisory

huntr.dev AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

huntr.dev CWE-29

A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.

huntr.dev https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9 [No types assigned]

huntr.dev https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee [No types assigned]