CVE-2024-2057 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any LangChain deployment on 0.0.26 using TFIDFRetriever.load_local() is remotely exploitable with no credentials — the PoC is a crafted .pkl file, meaning this is almost certainly pickle deserialization RCE misclassified as SSRF, explaining the anomalous 9.8 CVSS with C:H/I:H/A:H. Patch to 0.0.27 immediately and audit all code paths that call load_local() with externally influenced file paths.

Risk Assessment

Critically high. The attack vector is network-accessible, requires zero privileges and zero user interaction, and the exploit is public. The .pkl PoC strongly indicates unsafe deserialization (arbitrary code execution) rather than classic SSRF — pure SSRF does not produce C:H/I:H/A:H CVSS impact scores. AI/ML environments running LangChain retrievers are particularly exposed because TFIDFRetriever is commonly used in RAG pipelines where file paths may be dynamically constructed from user input or external data sources.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 18% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade langchain_community to >= 0.0.27 immediately. No workaround is equivalent.
AUDIT

Search codebase for all calls to TFIDFRetriever.load_local() and verify file paths are not user-influenced or fetched from external URLs.
NETWORK

Apply egress filtering on ML inference hosts to block SSRF lateral movement to cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and internal services.
DETECT

Alert on unexpected outbound HTTP from ML inference hosts and on deserialization errors in LangChain logs.
HARDEN

Enforce file integrity checks before deserialization; consider replacing pickle-based persistence with safe serialization formats (JSON, safetensors) for retriever state.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Framework RAG AML.T0010.001 - AI Software AML.T0011.000 - Unsafe AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system

ISO 42001

A.6.2.5 - AI system security A.8.3 - AI system input controls

NIST AI RMF

GOVERN-6.2 - AI risk and third-party dependency management MANAGE-2.2 - Treatments for identified risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-2057?

Any LangChain deployment on 0.0.26 using TFIDFRetriever.load_local() is remotely exploitable with no credentials — the PoC is a crafted .pkl file, meaning this is almost certainly pickle deserialization RCE misclassified as SSRF, explaining the anomalous 9.8 CVSS with C:H/I:H/A:H. Patch to 0.0.27 immediately and audit all code paths that call load_local() with externally influenced file paths.

Is CVE-2024-2057 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-2057, increasing the risk of exploitation.

How to fix CVE-2024-2057?

1. PATCH: Upgrade langchain_community to >= 0.0.27 immediately. No workaround is equivalent. 2. AUDIT: Search codebase for all calls to TFIDFRetriever.load_local() and verify file paths are not user-influenced or fetched from external URLs. 3. NETWORK: Apply egress filtering on ML inference hosts to block SSRF lateral movement to cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and internal services. 4. DETECT: Alert on unexpected outbound HTTP from ML inference hosts and on deserialization errors in LangChain logs. 5. HARDEN: Enforce file integrity checks before deserialization; consider replacing pickle-based persistence with safe serialization formats (JSON, safetensors) for retriever state.

What systems are affected by CVE-2024-2057?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, document processing pipelines, model serving.

What is the CVSS score for CVE-2024-2057?

CVE-2024-2057 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

A vulnerability was found in LangChain langchain_community 0.0.26. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py of the component TFIDFRetriever. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.0.27 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-255372.

Exploitation Scenario

An adversary targets a LangChain-based RAG application that allows users to specify or upload TFIDF index files. The attacker crafts a malicious .pkl file embedding a Python __reduce__ payload that spawns a reverse shell. They upload this file to a path accessible to the server (or manipulate the file path parameter if the application exposes it). When the application calls TFIDFRetriever.load_local() on the attacker's file, Python's pickle deserializer executes the payload with the privileges of the ML serving process — typically a service account with access to model artifacts, API keys, and internal databases. From there, the attacker pivots to the underlying cloud environment via the metadata service.