CVE-2024-2057

PYSEC-2024-278 · CVE-2024-2057

Published Mar 1, 2024 · Modified May 21, 2026

Description

A vulnerability was found in LangChain langchain_community 0.0.26. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py of the component TFIDFRetriever. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.0.27 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-255372.

References

WEB https://github.com/bayuncao/vul-cve-16/tree/main/PoC.pkl
REPORT https://vuldb.com/?ctiid.255372
REPORT https://vuldb.com/?id.255372
FIX https://github.com/langchain-ai/langchain/pull/18695
PACKAGE https://github.com/bayuncao/vul-cve-16

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes