Skip to content

Commit fcf565c

Browse files
chore(deps): update dependency langchain to v1.3.9 [security] (#816)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [langchain](https://redirect.github.com/langchain-ai/langchain) ([changelog](https://redirect.github.com/langchain-ai/langchain/releases?q=tag%3A%22langchain%3D%3D1%22)) | `1.3.4` → `1.3.9` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/langchain/1.3.9?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/langchain/1.3.4/1.3.9?slim=true) | --- ### LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders [GHSA-gr75-jv2w-4656](https://redirect.github.com/advisories/GHSA-gr75-jv2w-4656) <details> <summary>More information</summary> #### Details ##### Summary Several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the *resolved* path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or the resolved target of matched files, so glob patterns and symlinks can reach files outside the configured root; prompt- and chain/agent-configuration loaders that accept path fields and resolve them without confining the result to a trusted base or rejecting symlink targets; and path-prefix authorization checks that compare by string prefix without a path-segment boundary, so a sibling path sharing the prefix is accepted. When these components receive path values, search patterns, or workspace contents influenced by an untrusted source — including an LLM acting on untrusted input — the result can be disclosure of files outside the intended boundary. We have no evidence of this behavior being triggered in the wild. ##### Affected users / systems You may be affected if you expose an agent with filesystem-search middleware over a directory and accept prompts or retrieved content influenced by untrusted sources; load prompt or chain/agent configuration from untrusted or shared sources; or rely on path-prefix restrictions to confine tool file access. Callers that confine these components to fully trusted inputs and first-party configuration are not affected. ##### Impact - Confidentiality: disclosure of file contents outside the intended root/sandbox. - Authorization: path-prefix bypass can grant access to sibling resources beyond the intended subtree. ##### Patches / mitigation The affected components will canonicalize candidate paths (resolving symlinks) and verify the resolved real path remains within the configured root before reading or returning it; search patterns will be normalized so they cannot escape the root; configuration loaders will confine resolved path fields and reject symlink escapes unless the caller explicitly opts in to dangerous loading; and path-prefix checks will enforce a path-segment boundary. Path validation will be made operating-system-portable. ##### Compatibility Callers that already pass only in-root paths, validated configuration, and trusted search inputs see no behavioral change. Callers that intentionally reference external paths can opt in via the existing dangerous-loading flag. ##### Operational guidance Confine filesystem-backed agent tools to a dedicated directory and prefer running them sandboxed/containerized; validate path and identifier inputs where untrusted input enters; do not enable dangerous loading for configuration whose origin you do not control. ##### LangSmith / hosted deployments note This issue concerns library components executed by agents. #### Severity - CVSS Score: 5.1 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N` #### References - [https://github.com/langchain-ai/langchain/security/advisories/GHSA-gr75-jv2w-4656](https://redirect.github.com/langchain-ai/langchain/security/advisories/GHSA-gr75-jv2w-4656) - [https://github.com/advisories/GHSA-gr75-jv2w-4656](https://redirect.github.com/advisories/GHSA-gr75-jv2w-4656) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-gr75-jv2w-4656) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/apify/actor-templates). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent ecbde11 commit fcf565c

1 file changed

Lines changed: 12 additions & 12 deletions

File tree

uv.lock

Lines changed: 12 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)