CVE-2024-28088
Published: 04 March 2024
Summary
CVE-2024-28088 is a high-severity Path Traversal (CWE-22) vulnerability in Langchain Langchain. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), AI Model Inference API Access (AML.T0040), LLM Prompt Injection (AML.T0051).
Deeper analysis
LangChain through version 0.1.10 contains a directory traversal flaw tracked as CVE-2024-28088 that affects the load_chain function in the langchain-core component. An actor who can supply the final portion of the path parameter is able to inject ../ sequences, which bypasses the intended restriction that configurations may be loaded only from the hwchase17/langchain-hub GitHub repository. The issue is assigned CWE-22 and carries a CVSS 3.1 score of 8.1.
An authenticated caller who controls the path argument can therefore retrieve arbitrary files from the local filesystem or cause the application to load attacker-supplied configuration, resulting in exposure of large-language-model API keys or remote code execution. The vulnerability is exploitable over the network without user interaction once the attacker can invoke load_chain with a crafted path.
A fix is present in langchain-core 0.1.29, delivered via the changes merged in pull request 18600 and reflected in the updated loading.py implementation. Public proof-of-concept code demonstrating both information disclosure and code execution has been published. The EPSS score remains at 0.1343 with no material increase from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0085
Vulnerability details
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository.…
more
The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- LangChain is a framework for building applications powered by LLMs, including chains, agents, and integrations with models, tools, and hubs, making it a fit for AI Agent Protocols and Integrations.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in load_chain enables arbitrary file reads (T1083, T1552.001 for API key disclosure) and remote code execution (T1210) by loading malicious local chain configurations.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.