CVE-2024-10940: LangChain Core file read

CISO Take

Any LangChain application that allows user-controlled input into ImagePromptTemplate or ChatPromptTemplate variables and exposes rendered output is leaking arbitrary server files — including .env files, cloud credentials, and API keys. Patch to langchain-core >=0.1.53, >=0.2.43, or >=0.3.15 immediately; no viable in-place workaround exists. Externally-facing LangChain apps where prompt output reaches users or model responses are highest priority.

What is the risk?

CVSS 5.3 (Medium) understates operational risk in AI deployments. EPSS 0.00096 suggests no active exploitation, but the attack is pre-authenticated, requires zero AI/ML knowledge, and targets the exact file paths most damaging to AI infrastructure: .env with API keys, ~/.aws/credentials, database connection strings, and model configs. LLM inference servers routinely hold high-value secrets that convert this Medium into a critical credential-theft vector.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain Core	pip	>= 0.1.17, < 0.1.53	`0.1.53`
139.8K OpenSSF 5.9 4.8K dependents Pushed 2d ago 78% patched ~23d to patch Full package profile →

Do you use LangChain Core? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A None

What should I do?

5 steps

PATCH

upgrade langchain-core to >=0.1.53 (0.1.x branch), >=0.2.43 (0.2.x branch), or >=0.3.15 (0.3.x branch) — commit c1e7423 and e711034 contain the fix.
AUDIT

grep codebase for ImagePromptTemplate and ChatPromptTemplate usages; flag any that accept user-supplied variables mapped to file paths.
DETECT

add input validation logging to flag path traversal patterns (/etc/, ../, ~/.env, /.aws/) in template variables before patching.
POST-PATCH ROTATION: assume credentials on affected servers are compromised — rotate API keys, DB passwords, and cloud IAM credentials.
HARDEN

run LangChain app processes under least-privilege OS users with restricted filesystem access as defense-in-depth.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Privacy Violation Framework Agent AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.7.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI system value and respond to identified risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-10940?

Any LangChain application that allows user-controlled input into ImagePromptTemplate or ChatPromptTemplate variables and exposes rendered output is leaking arbitrary server files — including .env files, cloud credentials, and API keys. Patch to langchain-core >=0.1.53, >=0.2.43, or >=0.3.15 immediately; no viable in-place workaround exists. Externally-facing LangChain apps where prompt output reaches users or model responses are highest priority.

Is CVE-2024-10940 actively exploited?

No confirmed active exploitation of CVE-2024-10940 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-10940?

1. PATCH: upgrade langchain-core to >=0.1.53 (0.1.x branch), >=0.2.43 (0.2.x branch), or >=0.3.15 (0.3.x branch) — commit c1e7423 and e711034 contain the fix. 2. AUDIT: grep codebase for ImagePromptTemplate and ChatPromptTemplate usages; flag any that accept user-supplied variables mapped to file paths. 3. DETECT: add input validation logging to flag path traversal patterns (/etc/, ../, ~/.env, /.aws/) in template variables before patching. 4. POST-PATCH ROTATION: assume credentials on affected servers are compromised — rotate API keys, DB passwords, and cloud IAM credentials. 5. HARDEN: run LangChain app processes under least-privilege OS users with restricted filesystem access as defense-in-depth.

What systems are affected by CVE-2024-10940?

This vulnerability affects the following AI/ML architecture patterns: LLM application frameworks, agent frameworks, RAG pipelines, multi-modal pipelines, chatbot deployments.

What is the CVSS score for CVE-2024-10940?

CVE-2024-10940 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.37%.

What is the AI security impact?

Affected AI Architectures

LLM application frameworksagent frameworksRAG pipelinesmulti-modal pipelineschatbot deployments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0057 LLM Data Leakage

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.7.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extension langchain_core.prompts.ChatPromptTemplate's) with input variables that can read any user-specified path from the server file system. If the outputs of these prompt templates are exposed to the user, either directly or through downstream model outputs, it can lead to the exposure of sensitive information.

Exploitation Scenario

An adversary using a LangChain-powered chatbot or assistant submits a query that populates an ImagePromptTemplate input variable with a target file path such as /app/.env or /root/.aws/credentials. The template renders the file contents and either returns them directly in the API response or passes them to the downstream LLM, which echoes the contents back. No authentication, no AI expertise, and no exploit code are required — the attacker iterates over well-known credential paths in sequence. In a multi-tenant SaaS using LangChain, a single unauthenticated user can exfiltrate the platform operator's cloud credentials, enabling full account takeover.

Weaknesses (CWE)

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere Primary CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

CWE-497 — Exposure of Sensitive System Information to an Unauthorized Control Sphere: The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

[Architecture and Design, Implementation] Production applications should never use methods that generate internal details such as stack traces and error messages unless that information is directly committed to a log that is not viewable by the end user. All error message text should be HTML entity encoded before being written to the log file to protect against potential cross-site scripting attacks against the viewer of the logs

Source: MITRE CWE corpus.