SCA: security update for langchain-core (GHSA-5chr-fjjv-38qv)

medium Tenable Cloud Security Plugin ID 421187

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows
unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to
create langchain_core.prompts.ImagePromptTemplate's (and by extension
langchain_core.prompts.ChatPromptTemplate's) with input variables that can read any user-specified path
from the server file system. If the outputs of these prompt templates are exposed to the user, either
directly or through downstream model outputs, it can lead to the exposure of sensitive information.
(CVE-2024-10940)

See Also

https://github.com/advisories/GHSA-5chr-fjjv-38qv

Plugin Details

Severity: Medium

ID: 421187

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 3/21/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2024-10940

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/20/2025

Vulnerability Publication Date: 3/20/2025

Reference Information

CVE: CVE-2024-10940

cwe: CWE-497