AI Threat Alert AI Threat Alert

CVE-2025-6855: Langchain-Chatchat: path traversal exposes system files

GHSA-f823-phmg-x5fr HIGH PoC AVAILABLE CISA: TRACK*
Published June 29, 2025
CISO Take

Langchain-Chatchat deployments up to v0.3.1 expose a path traversal via the /v1/file API that any authenticated user can exploit to read or write arbitrary files on the host — with no patch available. If you run Chatchat in your enterprise RAG stack, isolate it from the internet immediately and restrict network access to trusted internal segments only. Audit who has credentials to the instance; low-privilege accounts are sufficient to exploit this.

Risk Assessment

Risk is HIGH. CVSS 8.8 with network access, low complexity, and only low privileges required makes this trivially exploitable by any authenticated user — no specialist knowledge needed. The impact triad (C:H/I:H/A:H) indicates full compromise potential: read model configs, .env files containing API keys, write malicious files, or corrupt the knowledge base. No patch exists as of CVE publication date, leaving defenders with only compensating controls. Chatchat is widely deployed in enterprise on-premise RAG setups, increasing exposure surface.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langchain-chatchat pip No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →
langchain-chatchat pip <= 0.3.1 No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Severity & Risk

CVSS 3.1
8.8 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 72% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

Recommended Action

7 steps

  1. IMMEDIATE

    Block or disable the /v1/file API endpoint if not required for core operations — add a WAF rule or reverse proxy rule denying requests with path traversal patterns (../, %2e%2e, %252e%252e) in any parameter.

  2. Network segmentation: ensure Chatchat is not internet-facing; restrict to internal VPN-only access.

  3. Principle of least privilege: run the Chatchat process as a non-root user with a chroot or container boundary limiting filesystem access to only the document/knowledge base directory.

  4. Rotate all API keys and credentials stored on hosts running Chatchat.

  5. Review access logs for suspicious /v1/file requests with abnormal flag values.

  6. Monitor the upstream repository (chatchat-space/Langchain-Chatchat) for a patched release and apply immediately when available.

  7. Consider deploying a read-only filesystem mount for non-essential paths.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Code Execution Framework RAG AML.T0025 AML.T0037 AML.T0049 AML.T0055 AML.T0085

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.6 - Access control to AI systems and data A.8.4 - Protection of AI system resources
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MEASURE 2.5 - AI system to be deployed reflects its assessed risks
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-6855?

Langchain-Chatchat deployments up to v0.3.1 expose a path traversal via the /v1/file API that any authenticated user can exploit to read or write arbitrary files on the host — with no patch available. If you run Chatchat in your enterprise RAG stack, isolate it from the internet immediately and restrict network access to trusted internal segments only. Audit who has credentials to the instance; low-privilege accounts are sufficient to exploit this.

Is CVE-2025-6855 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-6855, increasing the risk of exploitation.

How to fix CVE-2025-6855?

1. IMMEDIATE: Block or disable the /v1/file API endpoint if not required for core operations — add a WAF rule or reverse proxy rule denying requests with path traversal patterns (../, %2e%2e, %252e%252e) in any parameter. 2. Network segmentation: ensure Chatchat is not internet-facing; restrict to internal VPN-only access. 3. Principle of least privilege: run the Chatchat process as a non-root user with a chroot or container boundary limiting filesystem access to only the document/knowledge base directory. 4. Rotate all API keys and credentials stored on hosts running Chatchat. 5. Review access logs for suspicious /v1/file requests with abnormal flag values. 6. Monitor the upstream repository (chatchat-space/Langchain-Chatchat) for a patched release and apply immediately when available. 7. Consider deploying a read-only filesystem mount for non-essential paths.

What systems are affected by CVE-2025-6855?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, local LLM serving, knowledge base Q&A systems.

What is the CVSS score for CVE-2025-6855?

CVE-2025-6855 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.69%.

Technical Details

NVD Description

A vulnerability, which was classified as critical, has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This issue affects some unknown processing of the file /v1/file. The manipulation of the argument flag leads to path traversal. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

An adversary with a low-privilege Chatchat account (or a compromised internal user credential) sends a crafted GET or POST request to /v1/file with the flag parameter set to a traversal string such as ../../../../etc/passwd or ../../../../app/.env. Since Chatchat typically runs with broad filesystem permissions to serve its knowledge base documents, the traversal succeeds and returns sensitive file contents. The attacker extracts the .env file to obtain LLM API keys (OpenAI, Anthropic), then uses those keys externally to exfiltrate model access or incur costs. In a write scenario, the attacker overwrites a Python startup script or Chatchat configuration file to insert a reverse shell payload that executes when the service restarts. This entire chain requires only one authenticated API call per step — no AI/ML knowledge needed.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 29, 2025
Last Modified
November 3, 2025
First Seen
June 29, 2025

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed