Description

A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.

INFO

Published Date :

2024-10-29T12:49:21.165Z

Last Modified :

2024-10-29T13:31:38.566Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-7774 vulnerability.

Vendors Products
Langchain
  • Langchain.js
Langchain-ai
  • Langchain-ai\/langchainjs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-7774.

URL Resource
https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9 cve-icon cve-icon
https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact