CVE-2024-7774 Information
Nov 01, 2024
cve
Description
A path traversal vulnerability exists in the getFullPath method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem overwrite existing text files read .txt files and delete files. The vulnerability is exploited through the setFileContent getParsedFile and mdelete methods which do not properly sanitize user input.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Reference
https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
NONE
Base Severity
9.1
Share on: