Malicious HTML file download vulnerability in Recursive URLLoader
CVE-2024-0243

8.1HIGH

Key Information:

Vendor: Langchain-ai
Status: Langchain-ai/langchain
Vendor: CVE Published:; 26 February 2024

🔔 Create Langchain-ai Vulnerability Alert

What is CVE-2024-0243?

The Recursive URL Loader in Langchain is susceptible to an HTML file inclusion vulnerability, allowing an attacker to potentially load malicious files. If an attacker controls the content at a specified URL, they can craft HTML files with links directing to external resources. This can occur even when 'prevent_outside' configurations are set, presenting a significant risk for unintended file retrieval and external data compromise. To mitigate this issue, it is crucial to update to the latest version where the vulnerability is resolved.

Affected Version(s)

langchain-ai/langchain < 0.1.0

References

https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e...

https://github.com/langchain-ai/langchain/commit/bf0b3cc0...

https://github.com/langchain-ai/langchain/pull/15559

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2024
Vulnerability Reserved
Jan 4, 2024

JSON