CVE-2024-2057

Source
https://cve.org/CVERecord?id=CVE-2024-2057
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2057.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-2057
Aliases
Published
2024-03-01T11:31:04.385Z
Modified
2026-07-08T07:47:11.804382388Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
LangChain langchain_community TFIDFRetriever tfidf.py load_local server-side request forgery
Details

A vulnerability was found in LangChain langchaincommunity 0.0.26. It has been classified as critical. Affected is the function loadlocal in the library libs/community/langchain_community/retrievers/tfidf.py of the component TFIDFRetriever. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.0.27 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-255372.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/2xxx/CVE-2024-2057.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/langchain-ai/langchain

Affected ranges

Type
GIT
Repo
https://github.com/langchain-ai/langchain
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_STRING"
    ],
    "cpe": "cpe:2.3:a:langchain:langchain:0.0.26:*:*:*:community:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.0.26"
        },
        {
            "last_affected": "0.0.26"
        }
    ]
}

Affected versions

0.*
0.0.26
langchain-cli==0.*
langchain-cli==0.0.26

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2057.json"