AI Threat Alert

CVE-2024-3571: LangChain: path traversal allows arbitrary file R/W

HIGH PoC AVAILABLE CISA: TRACK*
Published April 16, 2024
CISO Take

Any LangChain deployment using LocalFileStore is exposed to unauthenticated file system access by low-privileged users — patch immediately or disable LocalFileStore. CVSS 8.8 with network vector and low complexity means this is trivially exploitable by any authenticated app user. If you run LangChain-based agents or RAG pipelines in production, treat this as critical until patched.

What is the risk?

High risk. CVSS 8.8 with AV:N/AC:L/PR:L reflects real-world exploitability: any authenticated user of an application backed by LangChain's LocalFileStore can traverse directories. No AI/ML expertise required — standard path traversal techniques apply. The risk compounds in agentic architectures where LocalFileStore is used as a caching or memory layer: successful exploitation can expose model artifacts, API keys, training data, or system credentials stored on disk. File write capability creates a direct path to RCE via cron jobs, SSH authorized_keys, or Python import paths.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
1.9%
chance of exploitation in 30 days
Higher than 76% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. Patch: upgrade to the commit aad3d8bd47d7f5598156ff2bdcc8f736f24a7412 or any LangChain release incorporating it — verify your pinned version includes this fix.

  2. Workaround if immediate patching is not possible: replace LocalFileStore with an in-memory or database-backed store (Redis, PostgreSQL) and revoke filesystem access from the LangChain process.

  3. Principle of least privilege: run LangChain processes under a dedicated service account with access limited strictly to required directories via filesystem ACLs or container mount restrictions.

  4. Detection: audit access logs for path traversal sequences (../, %2e%2e) in storage keys; monitor for anomalous file access outside expected working directories via auditd or eBPF-based tools.

  5. Inventory: identify all services using LangChain — check requirements.txt, poetry.lock, and Dockerfile references across repos.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Framework Agent AML.T0010.001 AML.T0025 AML.T0037 AML.T0049 AML.T0053 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.6 - AI system security
NIST AI RMF
MANAGE-2.2 - Mechanisms for vulnerability management in AI systems
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-3571?

Any LangChain deployment using LocalFileStore is exposed to unauthenticated file system access by low-privileged users — patch immediately or disable LocalFileStore. CVSS 8.8 with network vector and low complexity means this is trivially exploitable by any authenticated app user. If you run LangChain-based agents or RAG pipelines in production, treat this as critical until patched.

Is CVE-2024-3571 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3571, increasing the risk of exploitation.

How to fix CVE-2024-3571?

1. Patch: upgrade to the commit aad3d8bd47d7f5598156ff2bdcc8f736f24a7412 or any LangChain release incorporating it — verify your pinned version includes this fix. 2. Workaround if immediate patching is not possible: replace LocalFileStore with an in-memory or database-backed store (Redis, PostgreSQL) and revoke filesystem access from the LangChain process. 3. Principle of least privilege: run LangChain processes under a dedicated service account with access limited strictly to required directories via filesystem ACLs or container mount restrictions. 4. Detection: audit access logs for path traversal sequences (../, %2e%2e) in storage keys; monitor for anomalous file access outside expected working directories via auditd or eBPF-based tools. 5. Inventory: identify all services using LangChain — check requirements.txt, poetry.lock, and Dockerfile references across repos.

What systems are affected by CVE-2024-3571?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, LLM application backends, model serving.

What is the CVSS score for CVE-2024-3571?

CVE-2024-3571 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.86%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksLLM application backendsmodel serving

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art.15
ISO 42001: A.9.6
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.

Exploitation Scenario

An attacker with low-privilege access to a LangChain-backed RAG application (e.g., a customer-facing Q&A chatbot) crafts a storage key containing traversal sequences such as `../../../../etc/passwd` or `../../../../app/.env` and calls the mget method via an exposed API endpoint or indirectly through prompt injection that triggers a cache lookup. The application resolves the path without sanitization, returning the contents of arbitrary files. In write mode via mset, the attacker plants a Python file in a package directory or a cron job payload in /etc/cron.d, achieving remote code execution on the next import or scheduled execution. In a multi-tenant SaaS deployment, one tenant could exfiltrate another tenant's cached data or the host's cloud provider instance metadata credentials.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
April 16, 2024
Last Modified
July 29, 2025
First Seen
April 16, 2024

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed