CVE-2024-7774

Name of the Vulnerable Software and Affected Versions langchain-ai/langchainjs version 0.2.5

Description A path traversal issue exists in the getFullPath method, allowing attackers to save files anywhere in the filesystem, overwrite existing text files, read .txt files, and delete files. The issue is exploited through the setFileContent, getParsedFile, and mdelete methods, which do not properly sanitize user input.

Recommendations For version 0.2.5, consider disabling the getFullPath method, setFileContent, getParsedFile, and mdelete methods until a patch is available to prevent exploitation. Restrict access to these methods to minimize the risk of attackers saving, overwriting, reading, or deleting files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.