AI Threat Alert

CVE-2024-28088: LangChain: path traversal enables RCE and API key theft

HIGH PoC AVAILABLE CISA: ATTEND
Published March 4, 2024
CISO Take

Any LangChain deployment through v0.1.10 where external users can influence chain loading paths is directly exploitable for remote code execution or LLM API key theft. A public PoC exists, eliminating any skill barrier. Patch to langchain-core ≥0.1.29 immediately and rotate all LLM API keys on affected systems.

What is the risk?

High risk in practice despite the CVSS 8.1 score. Low complexity, network-reachable attack with a public PoC makes this trivially exploitable by any threat actor. The dual-outcome nature—RCE or API key exfiltration—means organizations face both infrastructure compromise and financial exposure (unauthorized LLM API usage). LangChain's widespread adoption in production AI pipelines significantly increases blast radius.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
1.7%
chance of exploitation in 30 days
Higher than 75% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A None

What should I do?

5 steps

  1. PATCH

    upgrade langchain-core to ≥0.1.29 immediately—this is the only full fix.

  2. AUDIT

    review all load_chain() and hub.pull() call sites; ensure no user-controlled input reaches the path parameter.

  3. ROTATE

    revoke and replace all LLM API keys (OpenAI, Anthropic, Cohere, etc.) present in environments running affected versions.

  4. HARDEN

    run LangChain processes under least-privilege accounts with restricted filesystem access; use container isolation or chroot where feasible.

  5. DETECT

    monitor for anomalous outbound connections from AI app containers, unexpected file access outside expected directories, and API key usage spikes indicating credential theft.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Leakage Supply Chain Framework Agent API AML.T0010.001 AML.T0037 AML.T0049 AML.T0055 AML.T0072 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.10.1 - Suppliers and third-party AI components A.6.2 - AI system operational and maintenance processes
NIST AI RMF
GOVERN 6.1 - Policies and procedures encompass AI risks from third-party entities MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-28088?

Any LangChain deployment through v0.1.10 where external users can influence chain loading paths is directly exploitable for remote code execution or LLM API key theft. A public PoC exists, eliminating any skill barrier. Patch to langchain-core ≥0.1.29 immediately and rotate all LLM API keys on affected systems.

Is CVE-2024-28088 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-28088, increasing the risk of exploitation.

How to fix CVE-2024-28088?

1. PATCH: upgrade langchain-core to ≥0.1.29 immediately—this is the only full fix. 2. AUDIT: review all load_chain() and hub.pull() call sites; ensure no user-controlled input reaches the path parameter. 3. ROTATE: revoke and replace all LLM API keys (OpenAI, Anthropic, Cohere, etc.) present in environments running affected versions. 4. HARDEN: run LangChain processes under least-privilege accounts with restricted filesystem access; use container isolation or chroot where feasible. 5. DETECT: monitor for anomalous outbound connections from AI app containers, unexpected file access outside expected directories, and API key usage spikes indicating credential theft.

What systems are affected by CVE-2024-28088?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application pipelines, RAG pipelines, chatbot backends, AI orchestration layers.

What is the CVSS score for CVE-2024-28088?

CVE-2024-28088 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 1.74%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM application pipelinesRAG pipelineschatbot backendsAI orchestration layers

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0072 Reverse Shell
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.10.1, A.6.2
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM02:2025, LLM03:2025

What are the technical details?

Original Advisory

LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)

Exploitation Scenario

An authenticated user of a LangChain-powered application (e.g., an internal AI assistant or customer-facing chatbot) crafts a chain path value such as `../../../../home/appuser/.env` or points to a malicious YAML config hosted on an attacker-controlled server. When the application calls load_chain() with this attacker-supplied value, the traversal bypasses the GitHub hub restriction. To achieve credential theft, the attacker reads .env files containing OPENAI_API_KEY or ANTHROPIC_API_KEY. To achieve RCE, they craft a malicious chain YAML that invokes Python's exec or subprocess, establishing a reverse shell on the server. With low privileges required and a public PoC available, this is an entry-level exploit for a high-value target.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-31 Path Traversal: 'dir\..\..\filename'

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
March 4, 2024
Last Modified
January 8, 2025
First Seen
March 4, 2024

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed