CVE-2024-28088 — HIGH (CVSS 8.1) AI Security Vulnerability

CISO Take

Any LangChain deployment through v0.1.10 where external users can influence chain loading paths is directly exploitable for remote code execution or LLM API key theft. A public PoC exists, eliminating any skill barrier. Patch to langchain-core ≥0.1.29 immediately and rotate all LLM API keys on affected systems.

Risk Assessment

High risk in practice despite the CVSS 8.1 score. Low complexity, network-reachable attack with a public PoC makes this trivially exploitable by any threat actor. The dual-outcome nature—RCE or API key exfiltration—means organizations face both infrastructure compromise and financial exposure (unauthorized LLM API usage). LangChain's widespread adoption in production AI pipelines significantly increases blast radius.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

13.4%

chance of exploitation in 30 days

Higher than 94% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 13%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

Recommended Action

5 steps

PATCH

upgrade langchain-core to ≥0.1.29 immediately—this is the only full fix.
AUDIT

review all load_chain() and hub.pull() call sites; ensure no user-controlled input reaches the path parameter.
ROTATE

revoke and replace all LLM API keys (OpenAI, Anthropic, Cohere, etc.) present in environments running affected versions.
HARDEN

run LangChain processes under least-privilege accounts with restricted filesystem access; use container isolation or chroot where feasible.
DETECT

monitor for anomalous outbound connections from AI app containers, unexpected file access outside expected directories, and API key usage spikes indicating credential theft.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Leakage Supply Chain Framework Agent API AML.T0010.001 - AI Software AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.1 - Suppliers and third-party AI components A.6.2 - AI system operational and maintenance processes

NIST AI RMF

GOVERN 6.1 - Policies and procedures encompass AI risks from third-party entities MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-28088?

Any LangChain deployment through v0.1.10 where external users can influence chain loading paths is directly exploitable for remote code execution or LLM API key theft. A public PoC exists, eliminating any skill barrier. Patch to langchain-core ≥0.1.29 immediately and rotate all LLM API keys on affected systems.

Is CVE-2024-28088 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-28088, increasing the risk of exploitation.

How to fix CVE-2024-28088?

1. PATCH: upgrade langchain-core to ≥0.1.29 immediately—this is the only full fix. 2. AUDIT: review all load_chain() and hub.pull() call sites; ensure no user-controlled input reaches the path parameter. 3. ROTATE: revoke and replace all LLM API keys (OpenAI, Anthropic, Cohere, etc.) present in environments running affected versions. 4. HARDEN: run LangChain processes under least-privilege accounts with restricted filesystem access; use container isolation or chroot where feasible. 5. DETECT: monitor for anomalous outbound connections from AI app containers, unexpected file access outside expected directories, and API key usage spikes indicating credential theft.

What systems are affected by CVE-2024-28088?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application pipelines, RAG pipelines, chatbot backends, AI orchestration layers.

What is the CVSS score for CVE-2024-28088?

CVE-2024-28088 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 13.44%.

Technical Details

NVD Description

LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)

Exploitation Scenario

An authenticated user of a LangChain-powered application (e.g., an internal AI assistant or customer-facing chatbot) crafts a chain path value such as `../../../../home/appuser/.env` or points to a malicious YAML config hosted on an attacker-controlled server. When the application calls load_chain() with this attacker-supplied value, the traversal bypasses the GitHub hub restriction. To achieve credential theft, the attacker reads .env files containing OPENAI_API_KEY or ANTHROPIC_API_KEY. To achieve RCE, they craft a malicious chain YAML that invokes Python's exec or subprocess, establishing a reverse shell on the server. With low privileges required and a public PoC available, this is an entry-level exploit for a high-value target.