CVE-2024-7774: Langchain Path Traversal vulnerability
6.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64184%
CWE
Published
10/29/2024
Updated
11/1/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| langchain | npm | < 0.2.19 | 0.2.19 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from three key functions:
- getFullPath() was vulnerable due to insufficient path resolution/validation (fixed by adding path.resolve() and common path checks).
- getParsedFile() lacked key validation before file access (fixed by adding regex validation).
- mdelete() is implicated in advisory descriptions as an attack vector, though not directly shown in diffs. Confidence is medium here as the class's deletion logic would depend on getFullPath(). The commit patches and CVE description explicitly identify these methods as vulnerable entry points.