CVE-2024-10940

Name of the Vulnerable Software and Affected Versions langchain-core versions 0.1.17 through 0.1.52 langchain-core versions 0.2.0 through 0.2.42 langchain-core versions 0.3.0 through 0.3.14

Description A vulnerability allows unauthorized users to read arbitrary files from the host file system. This issue arises from the ability to create langchain core.prompts.ImagePromptTemplate and langchain core.prompts.ChatPromptTemplate with input variables that can read any user-specified path from the server file system. If the outputs of these prompt templates are exposed to the user, it can lead to the exposure of sensitive information.

Recommendations For versions 0.1.17 through 0.1.52, consider restricting access to langchain core.prompts.ImagePromptTemplate and langchain core.prompts.ChatPromptTemplate to prevent unauthorized file reading. For versions 0.2.0 through 0.2.42, consider restricting access to langchain core.prompts.ImagePromptTemplate and langchain core.prompts.ChatPromptTemplate to prevent unauthorized file reading. For versions 0.3.0 through 0.3.14, consider restricting access to langchain core.prompts.ImagePromptTemplate and langchain core.prompts.ChatPromptTemplate to prevent unauthorized file reading. As a temporary workaround, consider disabling the creation of langchain core.prompts.ImagePromptTemplate and langchain core.prompts.ChatPromptTemplate with input variables until a patch is available.