A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NLangchain Langchain.js
APPLangchain0.2.5
Related vulnerabilities
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1...
Podatność deserialization injection w funkcjach dumps/dumpd LangChain Core
SSRF w LangChain RequestsToolkit — dostęp do sieci wewnętrznej i metadanych chmury
SQL injection przez prompt injection w LangChain GraphCypherQAChain
SQL injection przez prompt injection w LangChain GraphCypherQAChain