{"url":"http://public2.vulnerablecode.io/api/packages/35594?format=json","purl":"pkg:pypi/langchain@0.0.284","type":"pypi","namespace":"","name":"langchain","version":"0.0.284","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.3.1","latest_non_vulnerable_version":"0.3.30","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36921?format=json","vulnerability_id":"VCID-23um-cqks-tkc5","summary":"A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain-community version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-8309.json","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-8309.json"},{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/64c317eba05fbac0c6a6fc5aa192bc0d7130972e","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/64c317eba05fbac0c6a6fc5aa192bc0d7130972e"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-115.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-115.yaml"},{"reference_url":"https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322452","reference_id":"2322452","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2322452"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8309","reference_id":"CVE-2024-8309","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8309"},{"reference_url":"https://github.com/advisories/GHSA-45pg-36p6-83v9","reference_id":"GHSA-45pg-36p6-83v9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-45pg-36p6-83v9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41226?format=json","purl":"pkg:pypi/langchain@0.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.0"}],"aliases":["CVE-2024-8309","GHSA-45pg-36p6-83v9","PYSEC-2024-115"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-23um-cqks-tkc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36538?format=json","vulnerability_id":"VCID-52vp-m7t5-hqas","summary":"An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.","references":[{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/8363","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/issues/8363"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/11302","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/11302"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.308","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.308"},{"reference_url":"https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7"},{"reference_url":"https://github.com/pydata/numexpr/issues/442","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pydata/numexpr/issues/442"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39631","reference_id":"CVE-2023-39631","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39631"},{"reference_url":"https://github.com/advisories/GHSA-f73w-4m7g-ch9x","reference_id":"GHSA-f73w-4m7g-ch9x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f73w-4m7g-ch9x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35618?format=json","purl":"pkg:pypi/langchain@0.0.308","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.308"}],"aliases":["CVE-2023-39631","GHSA-f73w-4m7g-ch9x","PYSEC-2023-162","PYSEC-2023-163"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-52vp-m7t5-hqas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36800?format=json","vulnerability_id":"VCID-964p-24u8-yucb","summary":"A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-2965.json","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-2965.json"},{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/9a877c7adbd06f90a2518152f65b562bd90487cc","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/9a877c7adbd06f90a2518152f65b562bd90487cc"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/22903","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/22903"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-118.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-118.yaml"},{"reference_url":"https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2373306","reference_id":"2373306","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2373306"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2965","reference_id":"CVE-2024-2965","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2965"},{"reference_url":"https://github.com/advisories/GHSA-3hjh-jh2h-vrg6","reference_id":"GHSA-3hjh-jh2h-vrg6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3hjh-jh2h-vrg6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41231?format=json","purl":"pkg:pypi/langchain@0.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fdk5-mhqa-mqgw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.5"}],"aliases":["CVE-2024-2965","GHSA-3hjh-jh2h-vrg6","PYSEC-2024-118"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-964p-24u8-yucb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36910?format=json","vulnerability_id":"VCID-fdk5-mhqa-mqgw","summary":"A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.","references":[{"reference_url":"https://github.com/langchain-ai/langchainjs","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchainjs"},{"reference_url":"https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-114.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-114.yaml"},{"reference_url":"https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7042","reference_id":"CVE-2024-7042","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7042"},{"reference_url":"https://github.com/advisories/GHSA-6m59-8fmv-m5f9","reference_id":"GHSA-6m59-8fmv-m5f9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6m59-8fmv-m5f9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43763?format=json","purl":"pkg:pypi/langchain@0.3.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.3.1"}],"aliases":["CVE-2024-7042","GHSA-6m59-8fmv-m5f9","PYSEC-2024-114"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fdk5-mhqa-mqgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36747?format=json","vulnerability_id":"VCID-m5uw-4tqc-3ub8","summary":"LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.","references":[{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/18600","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/18600"},{"reference_url":"https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28088","reference_id":"CVE-2024-28088","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28088"},{"reference_url":"https://github.com/advisories/GHSA-h59x-p739-982c","reference_id":"GHSA-h59x-p739-982c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h59x-p739-982c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40558?format=json","purl":"pkg:pypi/langchain@0.0.339","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.339"},{"url":"http://public2.vulnerablecode.io/api/packages/40587?format=json","purl":"pkg:pypi/langchain@0.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.11"}],"aliases":["CVE-2024-28088","GHSA-h59x-p739-982c","PYSEC-2024-43","PYSEC-2024-45"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m5uw-4tqc-3ub8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36579?format=json","vulnerability_id":"VCID-mrfe-fcyn-1qg8","summary":"LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46229.json","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46229.json"},{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/11925","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/langchain-ai/langchain/pull/11925"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2390135","reference_id":"2390135","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2390135"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46229","reference_id":"CVE-2023-46229","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46229"},{"reference_url":"https://github.com/advisories/GHSA-655w-fm8m-m478","reference_id":"GHSA-655w-fm8m-m478","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-655w-fm8m-m478"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36585?format=json","purl":"pkg:pypi/langchain@0.0.317","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.317"}],"aliases":["CVE-2023-46229","GHSA-655w-fm8m-m478","PYSEC-2023-205"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mrfe-fcyn-1qg8"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.284"}