CVE-2024-28088

Name of the Vulnerable Software and Affected Versions LangChain versions 0.1.10 and earlier

Description The issue allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.

Recommendations For LangChain versions 0.1.10 and earlier, update to version 0.1.29 or later of langchain-core to resolve the issue. As a temporary workaround, consider restricting the use of the load chain call to minimize the risk of exploitation. Avoid using the path parameter in the affected load chain call until the issue is resolved.