Miggo Logo
Miggo Vulnerability Database
CVE-2024-7774

CVE-2024-7774: Langchain Path Traversal vulnerability

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2024-7774
GHSA ID
GHSA-hc5w-c9f8-9cc4
EPSS Score
0.64184%
CWE
CWE-22
Published
10/29/2024
Updated
11/1/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
langchainnpm< 0.2.190.2.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from three key functions:

  1. getFullPath() was vulnerable due to insufficient path resolution/validation (fixed by adding path.resolve() and common path checks).
  2. getParsedFile() lacked key validation before file access (fixed by adding regex validation).
  3. mdelete() is implicated in advisory descriptions as an attack vector, though not directly shown in diffs. Confidence is medium here as the class's deletion logic would depend on getFullPath(). The commit patches and CVE description explicitly identify these methods as vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* p*t* tr*v*rs*l vuln*r**ility *xists in t** `**t*ullP*t*` m*t*o* o* l*n****in-*i/l*n****injs v*rsion *.*.*. T*is vuln*r**ility *llows *tt**k*rs to s*v* *il*s *nyw**r* in t** *il*syst*m, ov*rwrit* *xistin* t*xt *il*s, r*** `.txt` *il*s, *n* **l*t* *i

Reasoning

T** vuln*r**ility st*ms *rom t*r** k*y *un*tions: *. **t*ullP*t*() w*s vuln*r**l* *u* to insu**i*i*nt p*t* r*solution/v*li**tion (*ix** *y ***in* p*t*.r*solv*() *n* *ommon p*t* ****ks). *. **tP*rs***il*() l**k** k*y v*li**tion ***or* *il* ****ss (*ix