AI Threat Alert

CVE-2025-6854: Langchain-Chatchat: path traversal in file API exposes host FS

GHSA-8v8h-4pjx-rg73 MEDIUM PoC AVAILABLE CISA: TRACK*
Published June 29, 2025
CISO Take

Any authenticated user can traverse the file system via the /v1/files?purpose=assistants endpoint, potentially reading API keys, model configs, system prompts, and sensitive data stored on the host. No patch exists as of publication — restrict access immediately via network controls or WAF rules and treat any exposed instance as compromised until audited. Low exploitation complexity with a public PoC makes this an active risk despite the medium CVSS.

What is the risk?

CVSS 4.3 understates the real-world risk in AI deployments. Low privileges required (any registered user) combined with low complexity and a public exploit significantly raise exploitability. The true impact depends on what sensitive assets are reachable on the host filesystem — LLM framework deployments commonly co-locate API keys, vector database credentials, RAG document stores, and system prompts in predictable paths. EPSS of 0.00147 reflects low mass-exploitation activity but not the risk to targeted organizations. No patch available amplifies urgency.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →
LangChain pip <= 0.3.1 No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 37% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A None

What should I do?

7 steps

  1. IMMEDIATE

    Block or restrict access to /v1/files?purpose=assistants via WAF or reverse proxy for untrusted users.

  2. Network-level: Place Langchain-Chatchat behind VPN or internal network — do not expose to public internet.

  3. Audit: Review web server access logs for path traversal patterns (../, %2e%2e, %252e) in the files endpoint.

  4. Principle of least privilege: Run the application process under a dedicated low-privilege user with minimal filesystem access.

  5. Secrets: Rotate any API keys or credentials stored on the host.

  6. Monitor: Set up file access monitoring (auditd/inotify) on sensitive directories.

  7. Patch: Track https://github.com/chatchat-space/Langchain-Chatchat/issues/5353 for official fix — no patched version exists as of 2025-06-29.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework API RAG AML.T0025 AML.T0035 AML.T0037 AML.T0049 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system
ISO 42001
A.9.3 - AI system security
NIST AI RMF
MANAGE-2.4 - Residual risks are addressed and documented
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-6854?

Any authenticated user can traverse the file system via the /v1/files?purpose=assistants endpoint, potentially reading API keys, model configs, system prompts, and sensitive data stored on the host. No patch exists as of publication — restrict access immediately via network controls or WAF rules and treat any exposed instance as compromised until audited. Low exploitation complexity with a public PoC makes this an active risk despite the medium CVSS.

Is CVE-2025-6854 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-6854, increasing the risk of exploitation.

How to fix CVE-2025-6854?

1. IMMEDIATE: Block or restrict access to /v1/files?purpose=assistants via WAF or reverse proxy for untrusted users. 2. Network-level: Place Langchain-Chatchat behind VPN or internal network — do not expose to public internet. 3. Audit: Review web server access logs for path traversal patterns (../, %2e%2e, %252e) in the files endpoint. 4. Principle of least privilege: Run the application process under a dedicated low-privilege user with minimal filesystem access. 5. Secrets: Rotate any API keys or credentials stored on the host. 6. Monitor: Set up file access monitoring (auditd/inotify) on sensitive directories. 7. Patch: Track https://github.com/chatchat-space/Langchain-Chatchat/issues/5353 for official fix — no patched version exists as of 2025-06-29.

What systems are affected by CVE-2025-6854?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, LLM application servers, knowledge base systems.

What is the CVSS score for CVE-2025-6854?

CVE-2025-6854 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.47%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksLLM application serversknowledge base systems

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art.9
ISO 42001: A.9.3
NIST AI RMF: MANAGE-2.4
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

A vulnerability classified as problematic was found in chatchat-space Langchain-Chatchat up to 0.3.1. This vulnerability affects unknown code of the file /v1/files?purpose=assistants. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

An attacker registers an account on an internet-exposed Langchain-Chatchat instance (or compromises a low-privilege account). They send a crafted GET request to /v1/files?purpose=assistants with path traversal sequences (e.g., ../../etc/passwd or ../../app/.env) to enumerate and exfiltrate files. Primary targets include .env files containing OpenAI/Anthropic API keys, LangChain config files with vector DB credentials, knowledge base documents containing proprietary business data, and system prompt files revealing AI behavior configurations. With API keys in hand, the attacker pivots to directly abuse LLM API quotas or exfiltrate RAG-indexed proprietary documents.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
June 29, 2025
Last Modified
November 3, 2025
First Seen
June 29, 2025

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed