Langchain Anthropic
Monthly
Path traversal and sandbox escape in LangChain prior to 1.3.9 allow untrusted inputs - including LLM-generated content steered by adversarial prompts - to escape a configured filesystem root boundary. Three components are affected: a file-search agent middleware that validates a starting directory but not glob patterns or symlink targets; prompt and chain/agent configuration loaders that resolve path fields without root confinement; and path-prefix authorization logic that performs string-prefix comparison without segment boundaries, allowing sibling paths to bypass access controls. No public exploit code has been identified at time of analysis and this CVE does not appear in CISA KEV, but the risk is meaningful for any deployment that exposes LangChain filesystem agents to untrusted user input or LLM prompt injection.
Path traversal and sandbox escape in LangChain prior to 1.3.9 allow untrusted inputs - including LLM-generated content steered by adversarial prompts - to escape a configured filesystem root boundary. Three components are affected: a file-search agent middleware that validates a starting directory but not glob patterns or symlink targets; prompt and chain/agent configuration loaders that resolve path fields without root confinement; and path-prefix authorization logic that performs string-prefix comparison without segment boundaries, allowing sibling paths to bypass access controls. No public exploit code has been identified at time of analysis and this CVE does not appear in CISA KEV, but the risk is meaningful for any deployment that exposes LangChain filesystem agents to untrusted user input or LLM prompt injection.