AI Threat Alert

CVE-2025-6855: Langchain-Chatchat: path traversal exposes system files

GHSA-f823-phmg-x5fr HIGH PoC AVAILABLE CISA: TRACK*
Published June 29, 2025
CISO Take

Langchain-Chatchat deployments up to v0.3.1 expose a path traversal via the /v1/file API that any authenticated user can exploit to read or write arbitrary files on the host — with no patch available. If you run Chatchat in your enterprise RAG stack, isolate it from the internet immediately and restrict network access to trusted internal segments only. Audit who has credentials to the instance; low-privilege accounts are sufficient to exploit this.

What is the risk?

Risk is HIGH. CVSS 8.8 with network access, low complexity, and only low privileges required makes this trivially exploitable by any authenticated user — no specialist knowledge needed. The impact triad (C:H/I:H/A:H) indicates full compromise potential: read model configs, .env files containing API keys, write malicious files, or corrupt the knowledge base. No patch exists as of CVE publication date, leaving defenders with only compensating controls. Chatchat is widely deployed in enterprise on-premise RAG setups, increasing exposure surface.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →
LangChain pip <= 0.3.1 No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 42% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

7 steps

  1. IMMEDIATE

    Block or disable the /v1/file API endpoint if not required for core operations — add a WAF rule or reverse proxy rule denying requests with path traversal patterns (../, %2e%2e, %252e%252e) in any parameter.

  2. Network segmentation: ensure Chatchat is not internet-facing; restrict to internal VPN-only access.

  3. Principle of least privilege: run the Chatchat process as a non-root user with a chroot or container boundary limiting filesystem access to only the document/knowledge base directory.

  4. Rotate all API keys and credentials stored on hosts running Chatchat.

  5. Review access logs for suspicious /v1/file requests with abnormal flag values.

  6. Monitor the upstream repository (chatchat-space/Langchain-Chatchat) for a patched release and apply immediately when available.

  7. Consider deploying a read-only filesystem mount for non-essential paths.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Code Execution Framework RAG AML.T0025 AML.T0037 AML.T0049 AML.T0055 AML.T0085

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.6 - Access control to AI systems and data A.8.4 - Protection of AI system resources
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems MEASURE 2.5 - AI system to be deployed reflects its assessed risks
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-6855?

Langchain-Chatchat deployments up to v0.3.1 expose a path traversal via the /v1/file API that any authenticated user can exploit to read or write arbitrary files on the host — with no patch available. If you run Chatchat in your enterprise RAG stack, isolate it from the internet immediately and restrict network access to trusted internal segments only. Audit who has credentials to the instance; low-privilege accounts are sufficient to exploit this.

Is CVE-2025-6855 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-6855, increasing the risk of exploitation.

How to fix CVE-2025-6855?

1. IMMEDIATE: Block or disable the /v1/file API endpoint if not required for core operations — add a WAF rule or reverse proxy rule denying requests with path traversal patterns (../, %2e%2e, %252e%252e) in any parameter. 2. Network segmentation: ensure Chatchat is not internet-facing; restrict to internal VPN-only access. 3. Principle of least privilege: run the Chatchat process as a non-root user with a chroot or container boundary limiting filesystem access to only the document/knowledge base directory. 4. Rotate all API keys and credentials stored on hosts running Chatchat. 5. Review access logs for suspicious /v1/file requests with abnormal flag values. 6. Monitor the upstream repository (chatchat-space/Langchain-Chatchat) for a patched release and apply immediately when available. 7. Consider deploying a read-only filesystem mount for non-essential paths.

What systems are affected by CVE-2025-6855?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, local LLM serving, knowledge base Q&A systems.

What is the CVSS score for CVE-2025-6855?

CVE-2025-6855 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.55%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworkslocal LLM servingknowledge base Q&A systems

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2.6, A.8.4
NIST AI RMF: MANAGE 2.2, MEASURE 2.5
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A vulnerability, which was classified as critical, has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This issue affects some unknown processing of the file /v1/file. The manipulation of the argument flag leads to path traversal. The exploit has been disclosed to the public and may be used.

Exploitation Scenario

An adversary with a low-privilege Chatchat account (or a compromised internal user credential) sends a crafted GET or POST request to /v1/file with the flag parameter set to a traversal string such as ../../../../etc/passwd or ../../../../app/.env. Since Chatchat typically runs with broad filesystem permissions to serve its knowledge base documents, the traversal succeeds and returns sensitive file contents. The attacker extracts the .env file to obtain LLM API keys (OpenAI, Anthropic), then uses those keys externally to exfiltrate model access or incur costs. In a write scenario, the attacker overwrites a Python startup script or Chatchat configuration file to insert a reverse shell payload that executes when the service restarts. This entire chain requires only one authenticated API call per step — no AI/ML knowledge needed.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 29, 2025
Last Modified
November 3, 2025
First Seen
June 29, 2025

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed