Home > Vulnerability Database > CVE-2024-7774

Mend.io Vulnerability Database

CVE-2024-7774

Good to know:

Date: October 29, 2024

A path traversal vulnerability exists in the "getFullPath" method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read ".txt" files, and delete files. The vulnerability is exploited through the "setFileContent", "getParsedFile", and "mdelete" methods, which do not properly sanitize user input.

Language: TYPE_SCRIPT

Severity Score

9.1

Related Resources (6)

Url: https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9

Url: https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-111.yaml

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-7774

Url: https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee

Url: https://github.com/langchain-ai/langchainjs

Url: https://www.mend.io/vulnerability-database/CVE-2024-7774

Severity Score

9.1

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Path Traversal: '..filename'

CWE-29

Top Fix

Upgrade Version

Upgrade to version langchain - 0.2.19

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-7774

Good to know:

Date: October 29, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?