GHSA-hc5w-c9f8-9cc4

Опубликовано: 29 окт. 2024

Источник: github

Github: Прошло ревью

CVSS4: 6.9

CVSS3: 6.5

Описание

Langchain Path Traversal vulnerability

A path traversal vulnerability exists in the getFullPath method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read .txt files, and delete files. The vulnerability is exploited through the setFileContent, getParsedFile, and mdelete methods, which do not properly sanitize user input.

Ссылки

Пакеты

Наименование

langchain

npm

Затронутые версииВерсия исправления

< 0.2.19

0.2.19

EPSS

Процентиль: 63%

0.00438

Низкий

6.9 Medium

CVSS4

6.5 Medium

CVSS3

CVE ID

CVE-2024-7774

Дефекты

CWE-22

CWE-29

Связанные уязвимости

CVE-2024-7774

CVSS3: 9.1

nvd

больше 1 года назад

A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.

EPSS

Процентиль: 63%

0.00438

Низкий

6.9 Medium

CVSS4

6.5 Medium

CVSS3

CVE ID

CVE-2024-7774

Дефекты

CWE-22

CWE-29