CVE-2024-7774
- Reference to the description:
- Description:
- A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.
- Last updated date:
- 10/31/2024
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 10/31/2024
- Reference url to background
https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee