ByteOS Network

NVD Vulnerability Details :

CVE-2024-10940

Received

Source-security@huntr.dev

Published At-20 Mar, 2025 | 10:15

Updated At-20 Mar, 2025 | 10:15

A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extension langchain_core.prompts.ChatPromptTemplate's) with input variables that can read any user-specified path from the server file system. If the outputs of these prompt templates are exposed to the user, either directly or through downstream model outputs, it can lead to the exposure of sensitive information.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.0	5.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Type: Secondary

Version: 3.0

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-497	Primary	security@huntr.dev

CWE ID: CWE-497

Type: Primary

Source: security@huntr.dev

References

Hyperlink	Source	Resource
https://github.com/langchain-ai/langchain/commit/c1e742347f9701aadba8920e4d1f79a636e50b68	security@huntr.dev	N/A
https://huntr.com/bounties/be1ee1cb-2147-4ff4-a57b-b6045271cf27	security@huntr.dev	N/A

Hyperlink: https://github.com/langchain-ai/langchain/commit/c1e742347f9701aadba8920e4d1f79a636e50b68

Source: security@huntr.dev

Resource: N/A

Hyperlink: https://huntr.com/bounties/be1ee1cb-2147-4ff4-a57b-b6045271cf27

Source: security@huntr.dev

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History