CVE-2025-6854 — MEDIUM (CVSS 4.3) AI Security Vulnerability

Q: Is CVE-2025-6854 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-6854, increasing the risk of exploitation.

Q: How to fix CVE-2025-6854?

1. IMMEDIATE: Block or restrict access to /v1/files?purpose=assistants via WAF or reverse proxy for untrusted users. 2. Network-level: Place Langchain-Chatchat behind VPN or internal network — do not expose to public internet. 3. Audit: Review web server access logs for path traversal patterns (../, %2e%2e, %252e) in the files endpoint. 4. Principle of least privilege: Run the application process under a dedicated low-privilege user with minimal filesystem access. 5. Secrets: Rotate any API keys or credentials stored on the host. 6. Monitor: Set up file access monitoring (auditd/inotify) on sensitive directories. 7. Patch: Track https://github.com/chatchat-space/Langchain-Chatchat/issues/5353 for official fix — no patched version exists as of 2025-06-29.

Q: What systems are affected by CVE-2025-6854?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, LLM application servers, knowledge base systems.

Q: What is the CVSS score for CVE-2025-6854?

CVE-2025-6854 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.50%.

CISO Take

Any authenticated user can traverse the file system via the /v1/files?purpose=assistants endpoint, potentially reading API keys, model configs, system prompts, and sensitive data stored on the host. No patch exists as of publication — restrict access immediately via network controls or WAF rules and treat any exposed instance as compromised until audited. Low exploitation complexity with a public PoC makes this an active risk despite the medium CVSS.

Risk Assessment

CVSS 4.3 understates the real-world risk in AI deployments. Low privileges required (any registered user) combined with low complexity and a public exploit significantly raise exploitability. The true impact depends on what sensitive assets are reachable on the host filesystem — LLM framework deployments commonly co-locate API keys, vector database credentials, RAG document stores, and system prompts in predictable paths. EPSS of 0.00147 reflects low mass-exploitation activity but not the risk to targeted organizations. No patch available amplifies urgency.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain-chatchat	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →
langchain-chatchat	pip	<= 0.3.1	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Severity & Risk

CVSS 3.1

4.3 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 66% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I None

A None

Recommended Action

7 steps

IMMEDIATE

Block or restrict access to /v1/files?purpose=assistants via WAF or reverse proxy for untrusted users.
Network-level: Place Langchain-Chatchat behind VPN or internal network — do not expose to public internet.
Audit: Review web server access logs for path traversal patterns (../, %2e%2e, %252e) in the files endpoint.
Principle of least privilege: Run the application process under a dedicated low-privilege user with minimal filesystem access.
Secrets: Rotate any API keys or credentials stored on the host.
Monitor: Set up file access monitoring (auditd/inotify) on sensitive directories.
Patch: Track https://github.com/chatchat-space/Langchain-Chatchat/issues/5353 for official fix — no patched version exists as of 2025-06-29.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework API RAG AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0083 - Credentials from AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.9.3 - AI system security

NIST AI RMF

MANAGE-2.4 - Residual risks are addressed and documented

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-6854?

Any authenticated user can traverse the file system via the /v1/files?purpose=assistants endpoint, potentially reading API keys, model configs, system prompts, and sensitive data stored on the host. No patch exists as of publication — restrict access immediately via network controls or WAF rules and treat any exposed instance as compromised until audited. Low exploitation complexity with a public PoC makes this an active risk despite the medium CVSS.

Is CVE-2025-6854 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-6854, increasing the risk of exploitation.

How to fix CVE-2025-6854?

1. IMMEDIATE: Block or restrict access to /v1/files?purpose=assistants via WAF or reverse proxy for untrusted users. 2. Network-level: Place Langchain-Chatchat behind VPN or internal network — do not expose to public internet. 3. Audit: Review web server access logs for path traversal patterns (../, %2e%2e, %252e) in the files endpoint. 4. Principle of least privilege: Run the application process under a dedicated low-privilege user with minimal filesystem access. 5. Secrets: Rotate any API keys or credentials stored on the host. 6. Monitor: Set up file access monitoring (auditd/inotify) on sensitive directories. 7. Patch: Track https://github.com/chatchat-space/Langchain-Chatchat/issues/5353 for official fix — no patched version exists as of 2025-06-29.

What systems are affected by CVE-2025-6854?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, LLM application servers, knowledge base systems.

What is the CVSS score for CVE-2025-6854?

CVE-2025-6854 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.50%.

Technical Details

NVD Description

A vulnerability classified as problematic was found in chatchat-space Langchain-Chatchat up to 0.3.1. This vulnerability affects unknown code of the file /v1/files?purpose=assistants. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

An attacker registers an account on an internet-exposed Langchain-Chatchat instance (or compromises a low-privilege account). They send a crafted GET request to /v1/files?purpose=assistants with path traversal sequences (e.g., ../../etc/passwd or ../../app/.env) to enumerate and exfiltrate files. Primary targets include .env files containing OpenAI/Anthropic API keys, LangChain config files with vector DB credentials, knowledge base documents containing proprietary business data, and system prompt files revealing AI behavior configurations. With API keys in hand, the attacker pivots to directly abuse LLM API quotas or exfiltrate RAG-indexed proprietary documents.