CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2057 – LangChain langchain_community TFIDFRetriever tfidf.py load_local server-side request forgery
https://notcve.org/view.php?id=CVE-2024-2057
01 Mar 2024 — A vulnerability was found in LangChain langchain_community 0.0.26. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py of the component TFIDFRetriever. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. • https://github.com/bayuncao/vul-cve-16 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27444
https://notcve.org/view.php?id=CVE-2024-27444
26 Feb 2024 — langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py. langchain_experimental (también conocido como LangChain Experimental) en LangChain anterior a 0.1.8 permite a un atacante eludir la corrección CVE-2023-44467 y ejecutar ... • https://github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0243 – Server-side Request Forgery In Recursive URL Loader
https://notcve.org/view.php?id=CVE-2024-0243
24 Feb 2024 — With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader( url=url, max_depth=2, extractor=lambda x: Soup(x, "html.parser").text ) docs = loader.load() ``` An attacker in control of the contents of `https://example.com` could place a malicious HTML file in there with links like "https://example.completely.different/my_file.html" and the crawler would proceed to download that file as well even though `prevent_outside=True... • https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32786
https://notcve.org/view.php?id=CVE-2023-32786
20 Oct 2023 — In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks. En Langchain hasta 0.0.155, la inyección rápida permite a un atacante forzar al servicio a recuperar datos de una URL arbitraria, esencialmente proporcionando SSRF y potencialmente inyectando contenido en tareas posteriores. • https://gist.github.com/rharang/d265f46fc3161b31ac2e81db44d662e1 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46229
https://notcve.org/view.php?id=CVE-2023-46229
19 Oct 2023 — LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. LangChain anterior a 0.0.317 permite SSRF a través de document_loaders/recursive_url_loader.py porque el rastreo puede proceder desde un servidor externo a un servidor interno. • https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44467
https://notcve.org/view.php?id=CVE-2023-44467
09 Oct 2023 — langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via __import__ in Python code, which is not prohibited by pal_chain/base.py. langchain_experimental 0.0.14 permite a un atacante omitir la corrección CVE-2023-36258 y ejecutar código arbitrario a través de PALChain en el método python exec. • https://github.com/langchain-ai/langchain/commit/4c97a10bd0d9385cfee234a63b5bd826a295e483 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-39631
https://notcve.org/view.php?id=CVE-2023-39631
01 Sep 2023 — An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. Un problema en LanChain-ai Langchain v.0.0.245 permite a un atacante remoto ejecutar código arbitrario a través de la función evaluate en numexpr library. • https://github.com/langchain-ai/langchain/issues/8363 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 5CVE-2023-36281
https://notcve.org/view.php?id=CVE-2023-36281
22 Aug 2023 — An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to __subclasses__ or a template. • https://github.com/tagomaru/CVE-2023-36281 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-38860
https://notcve.org/view.php?id=CVE-2023-38860
15 Aug 2023 — An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter. Un problema en LangChain v.0.0.231 permite a un atacante remoto ejecutar código arbitrario a través del parámetro prompt. • https://github.com/hwchase17/langchain/issues/7641 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39659
https://notcve.org/view.php?id=CVE-2023-39659
15 Aug 2023 — An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component. Un problema en langchain langchain-ai v.0.0.232 y anteriores permite a un atacante remoto ejecutar código arbitrario a través de un script manipulado en el componente PythonAstREPLTool._run. • https://github.com/langchain-ai/langchain/issues/7700 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •