CVE-2024-10940 — MEDIUM (CVSS 5.3) AI Security Vulnerability

CISO Take

Any LangChain application that allows user-controlled input into ImagePromptTemplate or ChatPromptTemplate variables and exposes rendered output is leaking arbitrary server files — including .env files, cloud credentials, and API keys. Patch to langchain-core >=0.1.53, >=0.2.43, or >=0.3.15 immediately; no viable in-place workaround exists. Externally-facing LangChain apps where prompt output reaches users or model responses are highest priority.

Risk Assessment

CVSS 5.3 (Medium) understates operational risk in AI deployments. EPSS 0.00096 suggests no active exploitation, but the attack is pre-authenticated, requires zero AI/ML knowledge, and targets the exact file paths most damaging to AI infrastructure: .env with API keys, ~/.aws/credentials, database connection strings, and model configs. LLM inference servers routinely hold high-value secrets that convert this Medium into a critical credential-theft vector.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain-core	pip	>= 0.1.17, < 0.1.53	`0.1.53`
135.7K OpenSSF 6.5 4.3K dependents Pushed 7d ago 88% patched ~20d to patch Full package profile →

Do you use langchain-core? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I None

A None

Recommended Action

5 steps

PATCH

upgrade langchain-core to >=0.1.53 (0.1.x branch), >=0.2.43 (0.2.x branch), or >=0.3.15 (0.3.x branch) — commit c1e7423 and e711034 contain the fix.
AUDIT

grep codebase for ImagePromptTemplate and ChatPromptTemplate usages; flag any that accept user-supplied variables mapped to file paths.
DETECT

add input validation logging to flag path traversal patterns (/etc/, ../, ~/.env, /.aws/) in template variables before patching.
POST-PATCH ROTATION: assume credentials on affected servers are compromised — rotate API keys, DB passwords, and cloud IAM credentials.
HARDEN

run LangChain app processes under least-privilege OS users with restricted filesystem access as defense-in-depth.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Privacy Violation Framework Agent AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.7.4 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI system value and respond to identified risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2024-10940?

Any LangChain application that allows user-controlled input into ImagePromptTemplate or ChatPromptTemplate variables and exposes rendered output is leaking arbitrary server files — including .env files, cloud credentials, and API keys. Patch to langchain-core >=0.1.53, >=0.2.43, or >=0.3.15 immediately; no viable in-place workaround exists. Externally-facing LangChain apps where prompt output reaches users or model responses are highest priority.

Is CVE-2024-10940 actively exploited?

No confirmed active exploitation of CVE-2024-10940 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-10940?

1. PATCH: upgrade langchain-core to >=0.1.53 (0.1.x branch), >=0.2.43 (0.2.x branch), or >=0.3.15 (0.3.x branch) — commit c1e7423 and e711034 contain the fix. 2. AUDIT: grep codebase for ImagePromptTemplate and ChatPromptTemplate usages; flag any that accept user-supplied variables mapped to file paths. 3. DETECT: add input validation logging to flag path traversal patterns (/etc/, ../, ~/.env, /.aws/) in template variables before patching. 4. POST-PATCH ROTATION: assume credentials on affected servers are compromised — rotate API keys, DB passwords, and cloud IAM credentials. 5. HARDEN: run LangChain app processes under least-privilege OS users with restricted filesystem access as defense-in-depth.

What systems are affected by CVE-2024-10940?

This vulnerability affects the following AI/ML architecture patterns: LLM application frameworks, agent frameworks, RAG pipelines, multi-modal pipelines, chatbot deployments.

What is the CVSS score for CVE-2024-10940?

CVE-2024-10940 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.27%.

Technical Details

NVD Description

A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extension langchain_core.prompts.ChatPromptTemplate's) with input variables that can read any user-specified path from the server file system. If the outputs of these prompt templates are exposed to the user, either directly or through downstream model outputs, it can lead to the exposure of sensitive information.

Exploitation Scenario

An adversary using a LangChain-powered chatbot or assistant submits a query that populates an ImagePromptTemplate input variable with a target file path such as /app/.env or /root/.aws/credentials. The template renders the file contents and either returns them directly in the API response or passes them to the downstream LLM, which echoes the contents back. No authentication, no AI expertise, and no exploit code are required — the attacker iterates over well-known credential paths in sequence. In a multi-tenant SaaS using LangChain, a single unauthenticated user can exfiltrate the platform operator's cloud credentials, enabling full account takeover.