Commit fcf565c
authored
chore(deps): update dependency langchain to v1.3.9 [security] (#816)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [langchain](https://redirect.github.com/langchain-ai/langchain)
([changelog](https://redirect.github.com/langchain-ai/langchain/releases?q=tag%3A%22langchain%3D%3D1%22))
| `1.3.4` → `1.3.9` |

|

|
---
### LangChain: Path traversal and sandbox escape in LangChain
file-search middleware and loaders
[GHSA-gr75-jv2w-4656](https://redirect.github.com/advisories/GHSA-gr75-jv2w-4656)
<details>
<summary>More information</summary>
#### Details
##### Summary
Several LangChain components that resolve filesystem paths or expand
search patterns do not consistently confine the *resolved* path to the
intended root directory. Affected behaviors include: a file-search agent
middleware that validates a starting directory but not the search
pattern or the resolved target of matched files, so glob patterns and
symlinks can reach files outside the configured root; prompt- and
chain/agent-configuration loaders that accept path fields and resolve
them without confining the result to a trusted base or rejecting symlink
targets; and path-prefix authorization checks that compare by string
prefix without a path-segment boundary, so a sibling path sharing the
prefix is accepted. When these components receive path values, search
patterns, or workspace contents influenced by an untrusted source —
including an LLM acting on untrusted input — the result can be
disclosure of files outside the intended boundary. We have no evidence
of this behavior being triggered in the wild.
##### Affected users / systems
You may be affected if you expose an agent with filesystem-search
middleware over a directory and accept prompts or retrieved content
influenced by untrusted sources; load prompt or chain/agent
configuration from untrusted or shared sources; or rely on path-prefix
restrictions to confine tool file access. Callers that confine these
components to fully trusted inputs and first-party configuration are not
affected.
##### Impact
- Confidentiality: disclosure of file contents outside the intended
root/sandbox.
- Authorization: path-prefix bypass can grant access to sibling
resources beyond the intended subtree.
##### Patches / mitigation
The affected components will canonicalize candidate paths (resolving
symlinks) and verify the resolved real path remains within the
configured root before reading or returning it; search patterns will be
normalized so they cannot escape the root; configuration loaders will
confine resolved path fields and reject symlink escapes unless the
caller explicitly opts in to dangerous loading; and path-prefix checks
will enforce a path-segment boundary. Path validation will be made
operating-system-portable.
##### Compatibility
Callers that already pass only in-root paths, validated configuration,
and trusted search inputs see no behavioral change. Callers that
intentionally reference external paths can opt in via the existing
dangerous-loading flag.
##### Operational guidance
Confine filesystem-backed agent tools to a dedicated directory and
prefer running them sandboxed/containerized; validate path and
identifier inputs where untrusted input enters; do not enable dangerous
loading for configuration whose origin you do not control.
##### LangSmith / hosted deployments note
This issue concerns library components executed by agents.
#### Severity
- CVSS Score: 5.1 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N`
#### References
-
[https://github.com/langchain-ai/langchain/security/advisories/GHSA-gr75-jv2w-4656](https://redirect.github.com/langchain-ai/langchain/security/advisories/GHSA-gr75-jv2w-4656)
-
[https://github.com/advisories/GHSA-gr75-jv2w-4656](https://redirect.github.com/advisories/GHSA-gr75-jv2w-4656)
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-gr75-jv2w-4656)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/apify/actor-templates).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent ecbde11 commit fcf565c
1 file changed
Lines changed: 12 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments