CVE-2024-3571: langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted director
Summary
LangChain's LocalFileStore feature has a path traversal vulnerability (a security flaw where attackers can access files outside the intended directory by using special path sequences like '../'). An attacker can exploit this to read or write any files on the system, potentially stealing data or executing malicious code. The problem stems from the mset and mget methods not properly filtering user input before handling file paths.
Vulnerability Details
8.8(high)
EPSS: 2.0%
Classification
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-3571
First tracked: February 15, 2026 at 08:35 PM
Classified by LLM (prompt v3) · confidence: 95%