GCVE - cpe:2.3:a:langchain:langchain:0.2.5:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:langchain:langchain:0.2.5:*:*:*:*:*:*:*

part: a version: 0.2.5 update: *

Vendor	Langchain (`3bec1db6-30f1-5f7c-8067-d161076b8e16`)
Product	Langchain (`470aaf7d-9be4-5ab2-a1f8-1df85c8b7784`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/hwchase17/langchain`	purl2cpe	2026-06-01 10:15:39.362471
`pkg:npm/langchain`	purl2cpe	2026-06-01 10:15:39.362473
`pkg:pypi/langchain`	purl2cpe	2026-06-01 10:15:39.362474
`pkg:sourceforge/langchain.mirror`	purl2cpe	2026-06-01 10:15:39.362475

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-8309`	vulnerable	2026-06-08 07:00:24.209755	SQL Injection in langchain-ai/langchain MEDIUM (4.9) A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database. Published: 2024-10-29T12:50:13.198Z Updated: 2025-10-15T12:50:40.456Z Open on db.gcve.eu Reference links https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5 https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-7774`	vulnerable	2026-06-08 06:58:23.406906	Path Traversal in langchain-ai/langchainjs MEDIUM (6.5) A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input. Published: 2024-10-29T12:49:21.165Z Updated: 2024-10-29T13:31:38.566Z Open on db.gcve.eu Reference links https://huntr.com/bounties/8fe40685-b714-4191-af7a-3de5e5628cee https://github.com/langchain-ai/langchainjs/commit/a0fad77d6b569e5872bd4a9d33be0c0785e538a9	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.