GHSA-fg23-3346-88f5: Langroid: Path traversal in the file tools allows read/write outside configured current directory
Summary
Langroid's ReadFileTool and WriteFileTool have a path traversal vulnerability (a security flaw where attackers use sequences like ../ to access files outside intended boundaries) because they only change the working directory but don't validate that file paths stay within the configured curr_dir (current directory) boundary. An attacker can use paths like ../secret.txt to read or write files outside the intended sandbox directory, potentially compromising applications that rely on curr_dir to restrict file access.
Vulnerability Details
EPSS: 0.0%
Yes
July 2, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-fg23-3346-88f5
First tracked: July 2, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%