AI Threat Alert

CVE-2024-2057: LangChain TFIDFRetriever: SSRF/RCE via load_local

CRITICAL PoC AVAILABLE
Published March 1, 2024
CISO Take

Any LangChain deployment on 0.0.26 using TFIDFRetriever.load_local() is remotely exploitable with no credentials — the PoC is a crafted .pkl file, meaning this is almost certainly pickle deserialization RCE misclassified as SSRF, explaining the anomalous 9.8 CVSS with C:H/I:H/A:H. Patch to 0.0.27 immediately and audit all code paths that call load_local() with externally influenced file paths.

What is the risk?

Critically high. The attack vector is network-accessible, requires zero privileges and zero user interaction, and the exploit is public. The .pkl PoC strongly indicates unsafe deserialization (arbitrary code execution) rather than classic SSRF — pure SSRF does not produce C:H/I:H/A:H CVSS impact scores. AI/ML environments running LangChain retrievers are particularly exposed because TFIDFRetriever is commonly used in RAG pipelines where file paths may be dynamically constructed from user input or external data sources.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 3d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade langchain_community to >= 0.0.27 immediately. No workaround is equivalent.

  2. AUDIT

    Search codebase for all calls to TFIDFRetriever.load_local() and verify file paths are not user-influenced or fetched from external URLs.

  3. NETWORK

    Apply egress filtering on ML inference hosts to block SSRF lateral movement to cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and internal services.

  4. DETECT

    Alert on unexpected outbound HTTP from ML inference hosts and on deserialization errors in LangChain logs.

  5. HARDEN

    Enforce file integrity checks before deserialization; consider replacing pickle-based persistence with safe serialization formats (JSON, safetensors) for retriever state.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Framework RAG AML.T0010.001 AML.T0011.000 AML.T0025 AML.T0035 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
A.6.2.5 - AI system security A.8.3 - AI system input controls
NIST AI RMF
GOVERN-6.2 - AI risk and third-party dependency management MANAGE-2.2 - Treatments for identified risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2024-2057?

Any LangChain deployment on 0.0.26 using TFIDFRetriever.load_local() is remotely exploitable with no credentials — the PoC is a crafted .pkl file, meaning this is almost certainly pickle deserialization RCE misclassified as SSRF, explaining the anomalous 9.8 CVSS with C:H/I:H/A:H. Patch to 0.0.27 immediately and audit all code paths that call load_local() with externally influenced file paths.

Is CVE-2024-2057 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-2057, increasing the risk of exploitation.

How to fix CVE-2024-2057?

1. PATCH: Upgrade langchain_community to >= 0.0.27 immediately. No workaround is equivalent. 2. AUDIT: Search codebase for all calls to TFIDFRetriever.load_local() and verify file paths are not user-influenced or fetched from external URLs. 3. NETWORK: Apply egress filtering on ML inference hosts to block SSRF lateral movement to cloud metadata endpoints (169.254.169.254, fd00:ec2::254) and internal services. 4. DETECT: Alert on unexpected outbound HTTP from ML inference hosts and on deserialization errors in LangChain logs. 5. HARDEN: Enforce file integrity checks before deserialization; consider replacing pickle-based persistence with safe serialization formats (JSON, safetensors) for retriever state.

What systems are affected by CVE-2024-2057?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, document processing pipelines, model serving.

What is the CVSS score for CVE-2024-2057?

CVE-2024-2057 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.58%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksdocument processing pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.000 Unsafe AI Artifacts
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: A.6.2.5, A.8.3
NIST AI RMF: GOVERN-6.2, MANAGE-2.2
OWASP LLM Top 10: LLM03:2025, LLM05:2025

What are the technical details?

Original Advisory

A vulnerability was found in LangChain langchain_community 0.0.26. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py of the component TFIDFRetriever. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.0.27 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-255372.

Exploitation Scenario

An adversary targets a LangChain-based RAG application that allows users to specify or upload TFIDF index files. The attacker crafts a malicious .pkl file embedding a Python __reduce__ payload that spawns a reverse shell. They upload this file to a path accessible to the server (or manipulate the file path parameter if the application exposes it). When the application calls TFIDFRetriever.load_local() on the attacker's file, Python's pickle deserializer executes the payload with the privileges of the ML serving process — typically a service account with access to model artifacts, API keys, and internal databases. From there, the attacker pivots to the underlying cloud environment via the metadata service.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 1, 2024
Last Modified
March 4, 2025
First Seen
March 1, 2024

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed