Medium

langchain

Arbitrary File Read via ImagePromptTemplate

A vulnerability in langchain-core versions >=0.1.17,<0.1.53 || >=0.2.0,<0.2.43 || >=0.3.0,<0.3.15 allows unauthorized file reading from the host system. This issue was patched in version 0.3.15.

Available publicly on Feb 09 2025

5.3

CVE:

CVE-2024-10940

CWE:

497:Exposure of Sensitive System Information to an Unauthorized Control Sphere

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Credit:

baskaryan
AssessDetect

Unavailable

Remediate
Remediation Steps
  1. Update to langchain-core version 0.3.15 or later.
  2. Ensure that user inputs to prompt templates are properly sanitized and validated.
  3. Avoid exposing the outputs of prompt templates directly to users or through downstream models without proper checks.
Patch Details
  • Fixed Version: 0.3.15
  • Patch Commit: https://github.com/langchain-ai/langchain/commit/c1e742347f9701aadba8920e4d1f79a636e50b68
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.