Description
A vulnerability was found in LangChain langchain_community 0.0.26. It has been classified as critical. Affected is the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py of the component TFIDFRetriever. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.0.27 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-255372.
References (5)
Core 5
Core References
Permissions Required vdb-entry
technical-description
https://vuldb.com/?id.255372
Permissions Required signature
permissions-required
https://vuldb.com/?ctiid.255372
Broken Link broken-link
https://github.com/bayuncao/vul-cve-16
Broken Link broken-link
exploit
https://github.com/bayuncao/vul-cve-16/tree/main/PoC.pkl
Patch issue-tracking
patch
https://github.com/langchain-ai/langchain/pull/18695
Scores
CVSS v3
6.3
EPSS
0.0006
EPSS Percentile
18.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
langchain/langchain
0.0.26
Published
Mar 01, 2024
Tracked Since
Feb 18, 2026