CVE-2025-45150: LangChain arbitrary file read, no

CISO Take

CVE-2025-45150 is a CVSS 9.8 unauthenticated file disclosure in LangChain-ChatGLM-Webui — any attacker can craft an HTTP request to read and exfiltrate arbitrary server files including API keys, model configs, and training data. No patch is available; take all exposed instances offline immediately and assume credential compromise if the service was internet-accessible. Rotate every API key and secret stored on the host.

What is the risk?

Exploitability is maximum: network-accessible, zero privileges required, zero user interaction. CWE-732 (incorrect permission assignment for critical resource) means the entire filesystem accessible to the web process is exposed. In AI deployments this routinely includes LLM provider API keys (OpenAI, Anthropic), HuggingFace tokens, database credentials, and proprietary training data. The absence of a patch combined with trivial exploitation (crafted HTTP request) places this in the immediate-action tier for any organization running this component.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 3d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 43% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

IMMEDIATE

Take all exposed instances offline or block inbound access via firewall/WAF.
ASSUME BREACH

Treat all credentials on the host as compromised — rotate LLM API keys (OpenAI, Anthropic, HuggingFace), database passwords, and cloud service credentials.
AUDIT LOGS

Review web server access logs for crafted requests with path traversal patterns (../, %2e%2e, /etc/passwd, .env, config.json).
NO PATCH

No upstream fix is referenced; do not redeploy until a code review confirms permission logic is corrected and file access is properly scoped.
NETWORK CONTROLS

If redeployment is required, restrict access to authenticated VPN or internal network only, never expose directly to the internet.
DETECTION RULE

Alert on HTTP requests containing path traversal sequences or sensitive filenames in web application logs.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to maintain AI systems and manage AI risks are in place

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-45150?

CVE-2025-45150 is a CVSS 9.8 unauthenticated file disclosure in LangChain-ChatGLM-Webui — any attacker can craft an HTTP request to read and exfiltrate arbitrary server files including API keys, model configs, and training data. No patch is available; take all exposed instances offline immediately and assume credential compromise if the service was internet-accessible. Rotate every API key and secret stored on the host.

Is CVE-2025-45150 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-45150, increasing the risk of exploitation.

How to fix CVE-2025-45150?

1. IMMEDIATE: Take all exposed instances offline or block inbound access via firewall/WAF. 2. ASSUME BREACH: Treat all credentials on the host as compromised — rotate LLM API keys (OpenAI, Anthropic, HuggingFace), database passwords, and cloud service credentials. 3. AUDIT LOGS: Review web server access logs for crafted requests with path traversal patterns (../, %2e%2e, /etc/passwd, .env, config.json). 4. NO PATCH: No upstream fix is referenced; do not redeploy until a code review confirms permission logic is corrected and file access is properly scoped. 5. NETWORK CONTROLS: If redeployment is required, restrict access to authenticated VPN or internal network only, never expose directly to the internet. 6. DETECTION RULE: Alert on HTTP requests containing path traversal sequences or sensitive filenames in web application logs.

What systems are affected by CVE-2025-45150?

This vulnerability affects the following AI/ML architecture patterns: LLM web interfaces, agent frameworks, model serving, RAG pipelines.

What is the CVSS score for CVE-2025-45150?

CVE-2025-45150 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.57%.

What is the AI security impact?

Affected AI Architectures

LLM web interfacesagent frameworksmodel servingRAG pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request.

Exploitation Scenario

An adversary scans for exposed ChatGLM-Webui instances via Shodan or FOFA using service banners or default UI fingerprints. Upon finding an exposed instance, they craft HTTP GET requests targeting sensitive file paths (e.g., requests referencing ../../.env, ../../config.json, or /proc/self/environ) by exploiting the insecure permission assignment — no authentication token or session is required. Within minutes they extract LLM API keys, database connection strings, and potentially training data files. These credentials are then leveraged to pivot: abusing LLM API keys for cost harvesting or exfiltrating proprietary model artifacts, or accessing connected databases for further data theft. The entire attack chain requires no AI/ML knowledge and can be scripted trivially.

Weaknesses (CWE)

CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-732 — Incorrect Permission Assignment for Critical Resource: The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

[Implementation] When using a critical resource such as a configuration file, check to see if the resource has insecure permissions (such as being modifiable by any regular user) [REF-62], and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party.
[Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully defining distinct user groups, privileges, and/or roles. Map these against data, functionality, and the related resources. Then set the permissions accordingly. This will allow you to maintain more fine-grained control over your resources. [REF-207]

Source: MITRE CWE corpus.