Malicious HTML file download vulnerability in Recursive URLLoader
CVE-2024-0243

8.1HIGH

Key Information:

Vendor

Langchain-ai

Status
Langchain-ai/langchain
Vendor
CVE Published:
26 February 2024

What is CVE-2024-0243?

The Recursive URL Loader in Langchain is susceptible to an HTML file inclusion vulnerability, allowing an attacker to potentially load malicious files. If an attacker controls the content at a specified URL, they can craft HTML files with links directing to external resources. This can occur even when 'prevent_outside' configurations are set, presenting a significant risk for unintended file retrieval and external data compromise. To mitigate this issue, it is crucial to update to the latest version where the vulnerability is resolved.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

langchain-ai/langchain < 0.1.0

References

https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e...
https://github.com/langchain-ai/langchain/commit/bf0b3cc0...
https://github.com/langchain-ai/langchain/pull/15559

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.