CRITICAL🇵🇱 Wersja polska

CVE-2025-45150

CVSS 9.8v3.1pub. 2025-08-01upd. 2026-07-05

Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request.

🤖 AI Analysis
How it works

The vulnerability stems from incorrectly configured access permissions to resources (CWE-732 — Incorrect Permission Assignment for Critical Resource). The attacker sends a specially crafted HTTP request that bypasses access control mechanisms. As a result, it is possible to read and download files that should have restricted access.

Impact

An attacker can gain access to sensitive application files without authentication, leading to disclosure of potentially confidential data (e.g., configurations, API keys, user data). Combined with the full CIA triad (C:H/I:H/A:H), the consequences may include violations of system confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to monitor the GitHub repository of the project (https://github.com/X-D-Lab/LangChain-ChatGLM-Webui) to obtain the updated version. Until the patch is deployed, consider restricting access to the application only to trusted networks or applying firewall rules to block external access.

Who is affected

X-D Lab LangChain-ChatGLM-Webui in the version corresponding to commit ef829

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • X D Lab Langchain Chatglm Webui

    APP
    X-D Lab
    2023-05-23
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References