langchain 0.0.349rc2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the langchain package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) langchain is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `RequestsToolkit` module. An attacker can access internal network resources, perform port scans, retrieve sensitive metadata from cloud environments, and interact with local services by crafting malicious requests. How to fix Server-side Request Forgery (SSRF)? Upgrade `langchain` to version 0.1.12 or higher.	[,0.1.12)
M Server-Side Request Forgery (SSRF) langchain is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the `Web Research Retriever` component. An attacker can execute port scans, access local services, and potentially read instance metadata from cloud environments by sending crafted requests to the server. Note: This SSRF vulnerability makes it possible to scan ports, abuse the Web Explorer server as a proxy for attacks on third parties and interact with servers in the local network including reading their response data, which may allow to extract instance metadata if in a cloud environment. The attack consequences of interacting with local services depends heavily on the nature of these services. Regularly admin-privileged services are exposed locally on servers, so the consequences can go all the way up to arbitrary code execution. Sending POST requests is not possible, only GET, but integrity may still be affected as a result of stolen credentials or because especially on internal APIs also GET requests can be state-changing. For all these reasons, the Confidentiality, Integrity, Availability metrics are set to H, L, L, the result is not an uncommon score for SSRF vulnerabilities. How to fix Server-Side Request Forgery (SSRF)? Upgrade `langchain` to version 0.2.10 or higher.	[,0.2.10)
H Path Traversal langchain is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Path Traversal due to improper limitation of a pathname to a restricted directory in its `LocalFileStore` functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. Note: The issue lies in the handling of file paths in the `mset` and `mget` methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories. How to fix Path Traversal? Upgrade `langchain` to version 0.0.353 or higher.	[,0.0.353)

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the RequestsToolkit module. An attacker can access internal network resources, perform port scans, retrieve sensitive metadata from cloud environments, and interact with local services by crafting malicious requests.

How to fix Server-side Request Forgery (SSRF)?

Upgrade langchain to version 0.1.12 or higher.

[,0.1.12)

Server-Side Request Forgery (SSRF)

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) through the Web Research Retriever component. An attacker can execute port scans, access local services, and potentially read instance metadata from cloud environments by sending crafted requests to the server.

Note: This SSRF vulnerability makes it possible to scan ports, abuse the Web Explorer server as a proxy for attacks on third parties and interact with servers in the local network including reading their response data, which may allow to extract instance metadata if in a cloud environment. The attack consequences of interacting with local services depends heavily on the nature of these services. Regularly admin-privileged services are exposed locally on servers, so the consequences can go all the way up to arbitrary code execution. Sending POST requests is not possible, only GET, but integrity may still be affected as a result of stolen credentials or because especially on internal APIs also GET requests can be state-changing. For all these reasons, the Confidentiality, Integrity, Availability metrics are set to H, L, L, the result is not an uncommon score for SSRF vulnerabilities.

How to fix Server-Side Request Forgery (SSRF)?

Upgrade langchain to version 0.2.10 or higher.

[,0.2.10)

Path Traversal

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Path Traversal due to improper limitation of a pathname to a restricted directory in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution.

Note: The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.

How to fix Path Traversal?

Upgrade langchain to version 0.0.353 or higher.

[,0.0.353)

langchain@0.0.349rc2 vulnerabilities

Building applications with LLMs through composability

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically