{"id":"CVE-2024-7774","summary":"Path Traversal in langchain-ai/langchainjs","details":"A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.","aliases":["GHSA-hc5w-c9f8-9cc4"],"modified":"2026-05-20T03:53:04.690718130Z","published":"2024-10-29T12:49:21.165Z","related":["CGA-3j5c-22jx-w4g3"],"database_specific":{"cna_assigner":"@huntr_ai","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/7xxx/CVE-2024-7774.json","cwe_ids":["CWE-29"]},"references":[{"type":"WEB","url":"https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/7xxx/CVE-2024-7774.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-7774"},{"type":"FIX","url":"https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/langchain-ai/langchainjs","events":[{"introduced":"0"},{"fixed":"d5ba68dfdb91d5f5ed701952d486667526902ece"}]}],"versions":["0.2.18","0.2.16","0.2.15","0.2.14","0.2.13","0.2.11","0.2.10","0.2.9","0.2.8","0.2.7","0.2.6","0.2.5","0.2.4","0.2.3","0.2.2","0.2.1","0.2.0@next","0.1.36","0.1.35","0.1.34","0.1.33","0.1.32","0.1.31","0.1.30","0.1.29","0.1.28","0.1.27","0.1.26","0.1.22","0.1.21","0.1.20","0.1.19","0.1.18","0.1.16","0.1.15","0.1.14","0.1.13","0.1.12","0.1.11","0.1.10","0.1.9","0.1.8","0.1.7","0.1.6","0.1.5","0.1.4","0.1.3","0.1.2","0.1.1","0.1.0","0.0.214","0.0.213","0.0.212","0.0.211","0.0.210","0.0.209","0.0.208","0.0.207","0.0.206","0.0.205","0.0.204","0.0.203","0.0.202","0.0.201","0.0.200","0.0.199","0.0.198","0.0.197","0.0.196","0.0.195","0.0.194","0.0.193","0.0.192","0.0.191","0.0.190","0.0.189","0.0.188","0.0.187","0.0.186","0.0.185","0.0.184","0.0.183","0.0.182","0.0.181","0.0.180","0.0.179","0.0.178","0.0.177","0.0.176","0.0.175","0.0.174","0.0.173","0.0.172","0.0.171","0.0.170","0.0.169","0.0.168","0.0.167","0.0.166","0.0.165","0.0.164","0.0.163","0.0.162","0.0.161","0.0.160","0.0.159","0.0.158","0.0.157","0.0.156","0.0.155","0.0.154","0.0.153","0.0.152","0.0.151","0.0.150","0.0.149","0.0.148","0.0.147","0.0.146","0.0.145","0.0.144","0.0.143","0.0.141","0.0.140","0.0.139","0.0.138","0.0.137","0.0.136","0.0.135","0.0.134","0.0.133","0.0.132","0.0.131","0.0.130","0.0.129","0.0.128","0.0.127","0.0.126","0.0.125","0.0.124","0.0.123","0.0.122","0.0.121","0.0.120","0.0.119","0.0.118","0.0.117","0.0.116","0.0.115","0.0.114","0.0.113","0.0.112","0.0.111","0.0.110","0.0.109","0.0.108","0.0.107","0.0.106","0.0.105","0.0.104","0.0.103","0.0.102","0.0.101","0.0.100","0.0.98","0.0.97","0.0.92","0.0.91","0.0.90","0.0.89","0.0.88","0.0.87","0.0.86","0.0.85","0.0.84","0.0.83"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-7774.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}