langchain-chatchat 0.3.0.20240625

Direct Vulnerabilities

Known vulnerabilities in the langchain-chatchat package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Race Condition langchain-chatchat is a Langchain-Chatchat (formerly langchain-ChatGLM), local knowledge based LLM (like ChatGLM, Qwen and Llama) RAG and Agent app with langchain Affected versions of this package are vulnerable to Race Condition through a race condition in the `files` function of the OpenAI-Compatible File Upload API. An attacker can overwrite files by manipulating the `file.filename` argument during concurrent upload requests. This is only exploitable if the attacker has access to the local network and can perform simultaneous file uploads. How to fix Race Condition? There is no fixed version for `langchain-chatchat`.	[0,)
L Use of a Broken or Risky Cryptographic Algorithm langchain-chatchat is a Langchain-Chatchat (formerly langchain-ChatGLM), local knowledge based LLM (like ChatGLM, Qwen and Llama) RAG and Agent app with langchain Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the `PIL.Image.tobytes` function of the Vision Chat Paste Image Handler process. An attacker can cause the use of a weak hash by manipulating the `paste_image.image_data` argument, potentially leading to reduced integrity of processed image data. This can be exploited by a local network attacker who is able to supply crafted image data. How to fix Use of a Broken or Risky Cryptographic Algorithm? There is no fixed version for `langchain-chatchat`.	[0,)
L Insecure Randomness langchain-chatchat is a Langchain-Chatchat (formerly langchain-ChatGLM), local knowledge based LLM (like ChatGLM, Qwen and Llama) RAG and Agent app with langchain Affected versions of this package are vulnerable to Insecure Randomness via the `_get_file_id` function in the Uploaded File Handler process. An attacker can predict file identifiers by manipulating file uploads over the local network, potentially leading to unauthorized access to sensitive files. How to fix Insecure Randomness? There is no fixed version for `langchain-chatchat`.	[0,)
H Arbitrary Code Injection langchain-chatchat is a Langchain-Chatchat (formerly langchain-ChatGLM), local knowledge based LLM (like ChatGLM, Qwen and Llama) RAG and Agent app with langchain Affected versions of this package are vulnerable to Arbitrary Code Injection via the MCP STDIO server configuration and execution handling. An attacker can execute arbitrary commands by accessing the publicly exposed MCP management interface and configuring the server with attacker-controlled commands and arguments. How to fix Arbitrary Code Injection? There is no fixed version for `langchain-chatchat`.	[0,)
M Directory Traversal langchain-chatchat is a Langchain-Chatchat (formerly langchain-ChatGLM), local knowledge based LLM (like ChatGLM, Qwen and Llama) RAG and Agent app with langchain Affected versions of this package are vulnerable to Directory Traversal via the `purpose` parameter in the `/v1/files` endpoint. An attacker can access sensitive files outside the intended directory by submitting crafted requests. How to fix Directory Traversal? There is no fixed version for `langchain-chatchat`.	[0,)
M Directory Traversal langchain-chatchat is a Langchain-Chatchat (formerly langchain-ChatGLM), local knowledge based LLM (like ChatGLM, Qwen and Llama) RAG and Agent app with langchain Affected versions of this package are vulnerable to Directory Traversal via the `flag` argument in `/v1/file`. An attacker can access or modify files outside the intended directory by supplying crafted input. How to fix Directory Traversal? There is no fixed version for `langchain-chatchat`.	[0,)
M Directory Traversal langchain-chatchat is a Langchain-Chatchat (formerly langchain-ChatGLM), local knowledge based LLM (like ChatGLM, Qwen and Llama) RAG and Agent app with langchain Affected versions of this package are vulnerable to Directory Traversal via the `parse_file` function in the `/knowledge_base/upload_temp_docs` endpoint due to lack of proper validation of user suplied input to the `file_path` parameter. An attacker can access or modify files outside the intended directory by supplying crafted input. How to fix Directory Traversal? There is no fixed version for `langchain-chatchat`.	[0,)

Vulnerability

Vulnerable Version

Race Condition

langchain-chatchat is a Langchain-Chatchat (formerly langchain-ChatGLM), local knowledge based LLM (like ChatGLM, Qwen and Llama) RAG and Agent app with langchain

Affected versions of this package are vulnerable to Race Condition through a race condition in the files function of the OpenAI-Compatible File Upload API. An attacker can overwrite files by manipulating the file.filename argument during concurrent upload requests. This is only exploitable if the attacker has access to the local network and can perform simultaneous file uploads.

How to fix Race Condition?