CVE-2024-3571 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any LangChain deployment using LocalFileStore is exposed to unauthenticated file system access by low-privileged users — patch immediately or disable LocalFileStore. CVSS 8.8 with network vector and low complexity means this is trivially exploitable by any authenticated app user. If you run LangChain-based agents or RAG pipelines in production, treat this as critical until patched.

Risk Assessment

High risk. CVSS 8.8 with AV:N/AC:L/PR:L reflects real-world exploitability: any authenticated user of an application backed by LangChain's LocalFileStore can traverse directories. No AI/ML expertise required — standard path traversal techniques apply. The risk compounds in agentic architectures where LocalFileStore is used as a caching or memory layer: successful exploitation can expose model artifacts, API keys, training data, or system credentials stored on disk. File write capability creates a direct path to RCE via cron jobs, SSH authorized_keys, or Python import paths.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

2.0%

chance of exploitation in 30 days

Higher than 84% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch: upgrade to the commit aad3d8bd47d7f5598156ff2bdcc8f736f24a7412 or any LangChain release incorporating it — verify your pinned version includes this fix.
Workaround if immediate patching is not possible: replace LocalFileStore with an in-memory or database-backed store (Redis, PostgreSQL) and revoke filesystem access from the LangChain process.
Principle of least privilege: run LangChain processes under a dedicated service account with access limited strictly to required directories via filesystem ACLs or container mount restrictions.
Detection: audit access logs for path traversal sequences (../, %2e%2e) in storage keys; monitor for anomalous file access outside expected working directories via auditd or eBPF-based tools.
Inventory: identify all services using LangChain — check requirements.txt, poetry.lock, and Dockerfile references across repos.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Framework Agent AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.6 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms for vulnerability management in AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-3571?

Any LangChain deployment using LocalFileStore is exposed to unauthenticated file system access by low-privileged users — patch immediately or disable LocalFileStore. CVSS 8.8 with network vector and low complexity means this is trivially exploitable by any authenticated app user. If you run LangChain-based agents or RAG pipelines in production, treat this as critical until patched.

Is CVE-2024-3571 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3571, increasing the risk of exploitation.

How to fix CVE-2024-3571?

1. Patch: upgrade to the commit aad3d8bd47d7f5598156ff2bdcc8f736f24a7412 or any LangChain release incorporating it — verify your pinned version includes this fix. 2. Workaround if immediate patching is not possible: replace LocalFileStore with an in-memory or database-backed store (Redis, PostgreSQL) and revoke filesystem access from the LangChain process. 3. Principle of least privilege: run LangChain processes under a dedicated service account with access limited strictly to required directories via filesystem ACLs or container mount restrictions. 4. Detection: audit access logs for path traversal sequences (../, %2e%2e) in storage keys; monitor for anomalous file access outside expected working directories via auditd or eBPF-based tools. 5. Inventory: identify all services using LangChain — check requirements.txt, poetry.lock, and Dockerfile references across repos.

What systems are affected by CVE-2024-3571?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, LLM application backends, model serving.

What is the CVSS score for CVE-2024-3571?

CVE-2024-3571 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 2.02%.

Technical Details

NVD Description

langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.

Exploitation Scenario

An attacker with low-privilege access to a LangChain-backed RAG application (e.g., a customer-facing Q&A chatbot) crafts a storage key containing traversal sequences such as `../../../../etc/passwd` or `../../../../app/.env` and calls the mget method via an exposed API endpoint or indirectly through prompt injection that triggers a cache lookup. The application resolves the path without sanitization, returning the contents of arbitrary files. In write mode via mset, the attacker plants a Python file in a package directory or a cron job payload in /etc/cron.d, achieving remote code execution on the next import or scheduled execution. In a multi-tenant SaaS deployment, one tenant could exfiltrate another tenant's cached data or the host's cloud provider instance metadata credentials.