AI Threat Alert

CVE-2024-7774: LangChain.js: path traversal, arbitrary file read/write

CRITICAL PoC AVAILABLE CISA: TRACK*
Published October 29, 2024
CISO Take

CVE-2024-7774 is a critical (CVSS 9.1) unauthenticated path traversal in LangChain.js v0.2.5 — no credentials or user interaction required. Attackers can read, overwrite, or delete arbitrary files on any server running the affected file tools. Patch to commit a0fad77d immediately; if not possible, containerize with read-only volume mounts and restrict the process to minimal filesystem permissions.

What is the risk?

Extremely high exploitability: network-accessible, zero privileges, zero user interaction, low complexity. Any LangChain.js deployment exposing file-handling tools (setFileContent, getParsedFile, mdelete) is trivially compromised. Wide blast radius in AI pipelines where file tools are routinely used for document ingestion, RAG, and agent memory. The EPSS data gap does not reduce severity — the attack mechanics are straightforward path traversal with no mitigating factors in the CVSS vector.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 3d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
9.1 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 41% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

What should I do?

5 steps

  1. Patch immediately: apply commit a0fad77d6b569e5872bd4a9d33be0c0785e538a9 or upgrade LangChain.js beyond v0.2.5.

  2. If patching is delayed: run the process under a restricted OS user with filesystem access limited to a designated working directory; use Docker with explicit volume mounts and no access to sensitive paths.

  3. Deploy WAF rules blocking path traversal patterns (../, ..\ , %2e%2e%2f) in inputs to file-handling endpoints.

  4. Audit process-level file access logs for traversal patterns in LangChain.js tool invocations.

  5. Inventory all .txt files accessible to the LangChain.js process and confirm none contain credentials, API keys, or PII.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Data Leakage Framework Agent AML.T0025 AML.T0037 AML.T0049 AML.T0053 AML.T0101

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.3 - AI system security controls
NIST AI RMF
MANAGE-2.2 - Risk Response — AI risk treatment
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-7774?

CVE-2024-7774 is a critical (CVSS 9.1) unauthenticated path traversal in LangChain.js v0.2.5 — no credentials or user interaction required. Attackers can read, overwrite, or delete arbitrary files on any server running the affected file tools. Patch to commit a0fad77d immediately; if not possible, containerize with read-only volume mounts and restrict the process to minimal filesystem permissions.

Is CVE-2024-7774 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7774, increasing the risk of exploitation.

How to fix CVE-2024-7774?

1. Patch immediately: apply commit a0fad77d6b569e5872bd4a9d33be0c0785e538a9 or upgrade LangChain.js beyond v0.2.5. 2. If patching is delayed: run the process under a restricted OS user with filesystem access limited to a designated working directory; use Docker with explicit volume mounts and no access to sensitive paths. 3. Deploy WAF rules blocking path traversal patterns (../, ..\ , %2e%2e%2f) in inputs to file-handling endpoints. 4. Audit process-level file access logs for traversal patterns in LangChain.js tool invocations. 5. Inventory all .txt files accessible to the LangChain.js process and confirm none contain credentials, API keys, or PII.

What systems are affected by CVE-2024-7774?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM application backends, document processing pipelines.

What is the CVSS score for CVE-2024-7774?

CVE-2024-7774 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.55%.

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelinesLLM application backendsdocument processing pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06, LLM07

What are the technical details?

Original Advisory

A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.

Exploitation Scenario

An adversary targeting a LangChain.js-powered document assistant crafts a filename such as '../../../../app/config/secrets.txt' and submits it through a publicly accessible file retrieval endpoint backed by getParsedFile. Without sanitization, the server resolves the traversal and returns file contents. The attacker then uses setFileContent with a traversed path to overwrite a tool definition file, injecting malicious instructions into the agent's behavior for future sessions. Finally, mdelete is invoked with a traversed path to erase access logs, covering the intrusion. No credentials are required at any step.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-29 Path Traversal: '\..\filename'

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
October 29, 2024
Last Modified
May 28, 2025
First Seen
October 29, 2024

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed