GHSA-GR75-JV2W-4656: Path Traversal and Sandbox Escape in LangChain File-Search Middleware and Loaders
Vulnerability ID: GHSA-GR75-JV2W-4656
CVSS Score: 4.7
Published: 2026-06-16
A path traversal and sandbox escape vulnerability in LangChain and LangChain-Anthropic Python packages allows unauthenticated local attackers to access files outside the restricted directory via crafted input, symbolic links, or prefix bypasses.
TL;DR
Insecure path resolution, missing symlink checks, and a path-prefix boundary bypass in LangChain allow attackers to escape file sandboxes via directory traversal or symbolic links.
Technical Details
- CWE ID: CWE-22, CWE-59
- Attack Vector: Local
- CVSS Score: 4.7 (Moderate)
- EPSS Score: N/A
- Exploit Status: None / Unproven
- KEV Status: Not Listed
Affected Systems
- LangChain core file-search middleware
- LangChain-Anthropic integration modules
- Autonomous LLM agents with filesystem tools
-
langchain: < 1.3.9 (Fixed in:
1.3.9) -
langchain-anthropic: < 1.4.6 (Fixed in:
1.4.6)
Mitigation Strategies
- Upgrade affected packages to langchain >= 1.3.9 and langchain-anthropic >= 1.4.6
- Enforce container-level isolation to restrict process filesystem access
- Avoid string-prefix path validation without directory separators
Remediation Steps:
- Identify LangChain dependencies in requirements.txt or pyproject.toml
- Upgrade langchain package to at least version 1.3.9
- Upgrade langchain-anthropic package to at least version 1.4.6
- Redesign custom tools using pathlib and resolve() for directory validation
References
- GitHub Security Advisory GHSA-gr75-jv2w-4656
- OSV Entry for GHSA-gr75-jv2w-4656
- LangChain Core Repository
- LangChain Advisory GHSA-gr75-jv2w-4656
Read the full report for GHSA-GR75-JV2W-4656 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)