Homepage
About Snyk

langchain@0.0.293 vulnerabilities

Building applications with LLMs through composability

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the langchain package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Path Traversal

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Path Traversal due to improper limitation of a pathname to a restricted directory in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution.

Note: The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.

How to fix Path Traversal?

Upgrade langchain to version 0.0.353 or higher.

[,0.0.353)
  • M
Server-Side Request Forgery

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Server-Side Request Forgery via prompt injection. An attacker can force the service to retrieve data from an arbitrary URL, essentially providing server-side request forgery and potentially injecting content into downstream tasks.

How to fix Server-Side Request Forgery?

Upgrade langchain to version 0.0.329 or higher.

[,0.0.329)
  • M
Server-side Request Forgery (SSRF)

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the document_loaders/recursive_url_loader.py function. An attacker can manipulate the server into making HTTP requests to an arbitrary domain by exploiting the server's ability to crawl from an external server to an internal server.

How to fix Server-side Request Forgery (SSRF)?

Upgrade langchain to version 0.0.317 or higher.

[,0.0.317)
  • C
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') via the PALChain in the python exec method. An attacker can bypass the fix for CVE-2023-36258 and execute arbitrary code by exploiting this vulnerability.

How to fix Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')?

Upgrade langchain to version 0.0.306 or higher.

[,0.0.306)
  • C
Arbitrary Code Execution

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Arbitrary Code Execution due to use of the evaluate() function in the numexpr library. An attacker can send arbitrary commands to the underlying eval() function by incorporating them in a malicious prompt.

How to fix Arbitrary Code Execution?

Upgrade langchain to version 0.0.307 or higher.

[,0.0.307)
  • C
Arbitrary Code Execution

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Arbitrary Code Execution via the load_prompt parameter, by supplying a malicious json file.

How to fix Arbitrary Code Execution?

Upgrade langchain to version 0.0.312 or higher.

[,0.0.312)
  • H
Arbitrary Code Execution

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Arbitrary Code Execution via a crafted script to the PythonAstREPLTool._run component.

How to fix Arbitrary Code Execution?

Upgrade langchain to version 0.0.325 or higher.

[,0.0.325)
Go back to all versions of this package