{"data":{"id":"f1989fd4-9f60-457f-a553-c7f1ab65754b","title":"CVE-2024-7774: A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulner","summary":"CVE-2024-7774 is a path traversal vulnerability (a security flaw where attackers can access files outside the intended directory) in langchain-ai/langchainjs version 0.2.5 that allows attackers to save, overwrite, read, and delete files anywhere on a system. The vulnerability exists in the `getFullPath` method and related functions because they do not properly filter or validate user input before handling file paths.","solution":"A patch is available at https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-7774","publishedAt":"2024-10-29T17:15:09.930Z","cveId":"CVE-2024-7774","cweIds":["CWE-29","CWE-22"],"cvssScore":"9.1","cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["langchain-ai/langchainjs"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00438,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}