Description
A path traversal vulnerability exists in the getFullPath method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read .txt files, and delete files.
Recommendation
Update the langchain package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.2.19
- Patched version(s): 0.2.19
References
Related Issues
- Prototype Pollution in jquery-deparam - CVE-2021-20087
- files.photo.gallery command injection - CVE-2024-53615
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- mapshaper Path Traversal vulnerability - CVE-2024-1163
- Tags:
- npm
- langchain
Anything's wrong? Let us know Last updated on November 01, 2024