langchain-core@0.0.10 vulnerabilities

Building applications with LLMs through composability

latest version

0.1.52
latest non vulnerable version

0.1.52
first published

6 months ago
latest version published

6 days ago
licenses detected
- MIT
  [0,)
View langchain-core package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the langchain-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Improper Restriction of XML External Entity Reference langchain-core is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Improper Restriction of XML External Entity Reference due to the `XMLOutputParser` using the `etree` module from the XML parser in the standard python library, which is known to have vulnerabilities. This issue primarily affects users that combine an LLM (or agent) with the `XMLOutputParser` and expose the component via an endpoint on a web-service. A malicious party could attempt to manipulate the LLM to produce a malicious payload for the parser, compromising the availability of the service. Note: This is only exploitable if `XMLOutputParser` is used Malicious input is passed into the `XMLOutputParser` either directly or by trying to manipulate an LLM to do so on the user's behalf The component is exposed via a web-service. How to fix Improper Restriction of XML External Entity Reference? Upgrade `langchain-core` to version 0.1.34 or higher.	[,0.1.34)
C Path Traversal langchain-core is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Path Traversal due to improper validation of user-supplied input in the `load_chain` call. An attacker can achieve remote code execution or disclose sensitive information by manipulating the path parameter to traverse directories and load configurations or execute code not intended by the application. Notes: This is only exploitable if the attacker can control the final part of the path parameter. `llm_bash_chain` is an experimental feature. How to fix Path Traversal? Upgrade `langchain-core` to version 0.1.31 or higher.	[,0.1.31)
L Server-Side Request Forgery (SSRF) langchain-core is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) in `document_loaders/recursive_url_loader.py`. An attacker in control of the contents of a specified URL could place a malicious HTML file there with links to completely different domains, and the crawler would proceed to issue GET requests from it, even though it is configured to prevent requests from outside sources. This is a bypass for the previously reported CVE-2023-46229. How to fix Server-Side Request Forgery (SSRF)? Upgrade `langchain-core` to version 0.1.7 or higher.	[,0.1.7)

Go back to all versions of this package

langchain-core@0.0.10 vulnerabilities

Building applications with LLMs through composability

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities