Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/langchain@0.0.11
Typepypi
Namespace
Namelangchain
Version0.0.11
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-2cuv-kudj-c3cg
vulnerability_id VCID-2cuv-kudj-c3cg
summary An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.
references
0
reference_url https://github.com/langchain-ai/langchain/issues/7700
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/langchain-ai/langchain/issues/7700
1
reference_url https://github.com/langchain-ai/langchain/pull/5640
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/langchain-ai/langchain/pull/5640
fixed_packages
0
url pkg:pypi/langchain@0.0.233
purl pkg:pypi/langchain@0.0.233
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2cyy-g843-9qec
1
vulnerability VCID-52vp-m7t5-hqas
2
vulnerability VCID-5977-kuku-ebek
3
vulnerability VCID-964p-24u8-yucb
4
vulnerability VCID-a2h3-qgax-qbdr
5
vulnerability VCID-ayhd-z87z-jkbq
6
vulnerability VCID-ctus-n9fc-gqhu
7
vulnerability VCID-exkd-sryf-e3ad
8
vulnerability VCID-m5uw-4tqc-3ub8
9
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.233
aliases CVE-2023-39659, PYSEC-2023-147
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2cuv-kudj-c3cg
1
url VCID-2cyy-g843-9qec
vulnerability_id VCID-2cyy-g843-9qec
summary Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt.
references
0
reference_url https://github.com/langchain-ai/langchain/issues/4849
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/issues/4849
fixed_packages
0
url pkg:pypi/langchain@0.0.247
purl pkg:pypi/langchain@0.0.247
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-52vp-m7t5-hqas
1
vulnerability VCID-964p-24u8-yucb
2
vulnerability VCID-m5uw-4tqc-3ub8
3
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247
aliases CVE-2023-34541, PYSEC-2023-92
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2cyy-g843-9qec
2
url VCID-3ve9-cev3-a7g5
vulnerability_id VCID-3ve9-cev3-a7g5
summary In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.
references
0
reference_url https://github.com/hwchase17/langchain/issues/1026
reference_id
reference_type
scores
url https://github.com/hwchase17/langchain/issues/1026
1
reference_url https://github.com/hwchase17/langchain/issues/814
reference_id
reference_type
scores
url https://github.com/hwchase17/langchain/issues/814
2
reference_url https://github.com/hwchase17/langchain/pull/1119
reference_id
reference_type
scores
url https://github.com/hwchase17/langchain/pull/1119
3
reference_url https://twitter.com/rharang/status/1641899743608463365/photo/1
reference_id
reference_type
scores
url https://twitter.com/rharang/status/1641899743608463365/photo/1
fixed_packages
0
url pkg:pypi/langchain@0.0.132
purl pkg:pypi/langchain@0.0.132
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2cuv-kudj-c3cg
1
vulnerability VCID-2cyy-g843-9qec
2
vulnerability VCID-52vp-m7t5-hqas
3
vulnerability VCID-5977-kuku-ebek
4
vulnerability VCID-964p-24u8-yucb
5
vulnerability VCID-9d9u-r5kk-6fa4
6
vulnerability VCID-a2h3-qgax-qbdr
7
vulnerability VCID-ayhd-z87z-jkbq
8
vulnerability VCID-ctus-n9fc-gqhu
9
vulnerability VCID-dv6m-m6rf-4qa9
10
vulnerability VCID-exkd-sryf-e3ad
11
vulnerability VCID-j2kj-2axx-rqgr
12
vulnerability VCID-m5uw-4tqc-3ub8
13
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.132
aliases CVE-2023-29374, PYSEC-2023-18
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3ve9-cev3-a7g5
3
url VCID-52vp-m7t5-hqas
vulnerability_id VCID-52vp-m7t5-hqas
summary An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.
references
0
reference_url https://github.com/langchain-ai/langchain/issues/8363
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/langchain-ai/langchain/issues/8363
1
reference_url https://github.com/langchain-ai/langchain/pull/11302
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/langchain-ai/langchain/pull/11302
2
reference_url https://github.com/pydata/numexpr/issues/442
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/pydata/numexpr/issues/442
fixed_packages
0
url pkg:pypi/langchain@0.0.308
purl pkg:pypi/langchain@0.0.308
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-964p-24u8-yucb
1
vulnerability VCID-m5uw-4tqc-3ub8
2
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.308
aliases CVE-2023-39631, PYSEC-2023-162, PYSEC-2023-163
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-52vp-m7t5-hqas
4
url VCID-5977-kuku-ebek
vulnerability_id VCID-5977-kuku-ebek
summary An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.
references
0
reference_url https://github.com/langchain-ai/langchain/issues/5872
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/issues/5872
1
reference_url https://github.com/langchain-ai/langchain/pull/8425
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/pull/8425
fixed_packages
0
url pkg:pypi/langchain@0.0.247
purl pkg:pypi/langchain@0.0.247
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-52vp-m7t5-hqas
1
vulnerability VCID-964p-24u8-yucb
2
vulnerability VCID-m5uw-4tqc-3ub8
3
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247
aliases CVE-2023-36188, PYSEC-2023-109
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5977-kuku-ebek
5
url VCID-964p-24u8-yucb
vulnerability_id VCID-964p-24u8-yucb
summary A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.
references
0
reference_url https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82
1
reference_url https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae
fixed_packages
0
url pkg:pypi/langchain@0.2.5
purl pkg:pypi/langchain@0.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.5
aliases CVE-2024-2965, PYSEC-2024-118
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-964p-24u8-yucb
6
url VCID-9d9u-r5kk-6fa4
vulnerability_id VCID-9d9u-r5kk-6fa4
summary An issue in Harrison Chase langchain v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions.
references
0
reference_url https://github.com/hwchase17/langchain/issues/5872
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/hwchase17/langchain/issues/5872
1
reference_url https://github.com/hwchase17/langchain/pull/6003
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/hwchase17/langchain/pull/6003
2
reference_url https://twitter.com/llm_sec/status/1668711587287375876
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://twitter.com/llm_sec/status/1668711587287375876
fixed_packages
0
url pkg:pypi/langchain@0.0.195
purl pkg:pypi/langchain@0.0.195
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2cuv-kudj-c3cg
1
vulnerability VCID-2cyy-g843-9qec
2
vulnerability VCID-52vp-m7t5-hqas
3
vulnerability VCID-5977-kuku-ebek
4
vulnerability VCID-964p-24u8-yucb
5
vulnerability VCID-a2h3-qgax-qbdr
6
vulnerability VCID-ayhd-z87z-jkbq
7
vulnerability VCID-ctus-n9fc-gqhu
8
vulnerability VCID-exkd-sryf-e3ad
9
vulnerability VCID-j2kj-2axx-rqgr
10
vulnerability VCID-m5uw-4tqc-3ub8
11
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.195
aliases CVE-2023-38896, PYSEC-2023-146
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9d9u-r5kk-6fa4
7
url VCID-a2h3-qgax-qbdr
vulnerability_id VCID-a2h3-qgax-qbdr
summary An issue in langchain v.0.0.199 allows an attacker to execute arbitrary code via the PALChain in the python exec method.
references
0
reference_url https://github.com/langchain-ai/langchain/issues/5872
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/issues/5872
fixed_packages
0
url pkg:pypi/langchain@0.0.247
purl pkg:pypi/langchain@0.0.247
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-52vp-m7t5-hqas
1
vulnerability VCID-964p-24u8-yucb
2
vulnerability VCID-m5uw-4tqc-3ub8
3
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247
aliases CVE-2023-36258, PYSEC-2023-98
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a2h3-qgax-qbdr
8
url VCID-ayhd-z87z-jkbq
vulnerability_id VCID-ayhd-z87z-jkbq
summary An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt.
references
0
reference_url http://langchain.com
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url http://langchain.com
1
reference_url https://github.com/hwchase17/langchain
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/hwchase17/langchain
2
reference_url https://github.com/langchain-ai/langchain/issues/5872
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/langchain-ai/langchain/issues/5872
fixed_packages
0
url pkg:pypi/langchain@0.0.236
purl pkg:pypi/langchain@0.0.236
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2cyy-g843-9qec
1
vulnerability VCID-52vp-m7t5-hqas
2
vulnerability VCID-5977-kuku-ebek
3
vulnerability VCID-964p-24u8-yucb
4
vulnerability VCID-a2h3-qgax-qbdr
5
vulnerability VCID-ctus-n9fc-gqhu
6
vulnerability VCID-exkd-sryf-e3ad
7
vulnerability VCID-m5uw-4tqc-3ub8
8
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236
aliases CVE-2023-36095, PYSEC-2023-138
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ayhd-z87z-jkbq
9
url VCID-ctus-n9fc-gqhu
vulnerability_id VCID-ctus-n9fc-gqhu
summary SQL injection vulnerability in langchain v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.
references
0
reference_url https://github.com/langchain-ai/langchain/issues/5923
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/issues/5923
1
reference_url https://github.com/langchain-ai/langchain/pull/8425
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/pull/8425
fixed_packages
0
url pkg:pypi/langchain@0.0.247
purl pkg:pypi/langchain@0.0.247
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-52vp-m7t5-hqas
1
vulnerability VCID-964p-24u8-yucb
2
vulnerability VCID-m5uw-4tqc-3ub8
3
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247
aliases CVE-2023-36189, PYSEC-2023-110
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ctus-n9fc-gqhu
10
url VCID-dv6m-m6rf-4qa9
vulnerability_id VCID-dv6m-m6rf-4qa9
summary An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the load_prompt parameter.
references
0
reference_url https://aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55
1
reference_url https://github.com/hwchase17/langchain/issues/4394
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/hwchase17/langchain/issues/4394
fixed_packages
0
url pkg:pypi/langchain@0.0.171
purl pkg:pypi/langchain@0.0.171
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2cuv-kudj-c3cg
1
vulnerability VCID-2cyy-g843-9qec
2
vulnerability VCID-52vp-m7t5-hqas
3
vulnerability VCID-5977-kuku-ebek
4
vulnerability VCID-964p-24u8-yucb
5
vulnerability VCID-9d9u-r5kk-6fa4
6
vulnerability VCID-a2h3-qgax-qbdr
7
vulnerability VCID-ayhd-z87z-jkbq
8
vulnerability VCID-ctus-n9fc-gqhu
9
vulnerability VCID-exkd-sryf-e3ad
10
vulnerability VCID-j2kj-2axx-rqgr
11
vulnerability VCID-m5uw-4tqc-3ub8
12
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.171
aliases CVE-2023-36281, PYSEC-2023-151
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dv6m-m6rf-4qa9
11
url VCID-exkd-sryf-e3ad
vulnerability_id VCID-exkd-sryf-e3ad
summary An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.
references
0
reference_url https://github.com/langchain-ai/langchain/issues/7641
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/langchain-ai/langchain/issues/7641
fixed_packages
0
url pkg:pypi/langchain@0.0.247
purl pkg:pypi/langchain@0.0.247
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-52vp-m7t5-hqas
1
vulnerability VCID-964p-24u8-yucb
2
vulnerability VCID-m5uw-4tqc-3ub8
3
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247
aliases CVE-2023-38860, PYSEC-2023-145
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-exkd-sryf-e3ad
12
url VCID-j2kj-2axx-rqgr
vulnerability_id VCID-j2kj-2axx-rqgr
summary Langchain 0.0.171 is vulnerable to Arbitrary Code Execution.
references
0
reference_url https://github.com/langchain-ai/langchain/issues/4833
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/issues/4833
1
reference_url https://github.com/langchain-ai/langchain/pull/6992
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/pull/6992
fixed_packages
0
url pkg:pypi/langchain@0.0.225
purl pkg:pypi/langchain@0.0.225
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2cuv-kudj-c3cg
1
vulnerability VCID-2cyy-g843-9qec
2
vulnerability VCID-52vp-m7t5-hqas
3
vulnerability VCID-5977-kuku-ebek
4
vulnerability VCID-964p-24u8-yucb
5
vulnerability VCID-a2h3-qgax-qbdr
6
vulnerability VCID-ayhd-z87z-jkbq
7
vulnerability VCID-ctus-n9fc-gqhu
8
vulnerability VCID-exkd-sryf-e3ad
9
vulnerability VCID-m5uw-4tqc-3ub8
10
vulnerability VCID-mrfe-fcyn-1qg8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.225
aliases CVE-2023-34540, PYSEC-2023-91
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j2kj-2axx-rqgr
13
url VCID-m5uw-4tqc-3ub8
vulnerability_id VCID-m5uw-4tqc-3ub8
summary LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.
references
0
reference_url https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py
1
reference_url https://github.com/langchain-ai/langchain/pull/18600
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/pull/18600
2
reference_url https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md
reference_id
reference_type
scores
url https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md
fixed_packages
0
url pkg:pypi/langchain@0.1.11
purl pkg:pypi/langchain@0.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-964p-24u8-yucb
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.11
aliases CVE-2024-28088, PYSEC-2024-43, PYSEC-2024-45
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m5uw-4tqc-3ub8
14
url VCID-mrfe-fcyn-1qg8
vulnerability_id VCID-mrfe-fcyn-1qg8
summary LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.
references
0
reference_url https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8
1
reference_url https://github.com/langchain-ai/langchain/pull/11925
reference_id
reference_type
scores
url https://github.com/langchain-ai/langchain/pull/11925
fixed_packages
0
url pkg:pypi/langchain@0.0.317
purl pkg:pypi/langchain@0.0.317
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-964p-24u8-yucb
1
vulnerability VCID-m5uw-4tqc-3ub8
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.317
aliases CVE-2023-46229, PYSEC-2023-205
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mrfe-fcyn-1qg8
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.11