GHSA-GR75-JV2W-4656

GHSA-GR75-JV2W-4656 is a medium-severity path traversal vulnerability in langchain (pip), affecting versions <= 1.3.8. It is fixed in 1.3.9, 1.4.6.

Summary

Several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or the resolved target of matched files, so glob patterns and symlinks can reach files outside the configured root; prompt- and chain/agent-configuration loaders that accept path fields and resolve them without confining the result to a trusted base or rejecting symlink targets; and path-prefix authorization checks that compare by string prefix without a path-segment boundary, so a sibling path sharing the prefix is accepted. When these components receive path values, search patterns, or workspace contents influenced by an untrusted source, including an LLM acting on untrusted input, the result can be disclosure of files outside the intended boundary. We have no evidence of this behavior being triggered in the wild.

Affected users / systems

You may be affected if you expose an agent with filesystem-search middleware over a directory and accept prompts or retrieved content influenced by untrusted sources; load prompt or chain/agent configuration from untrusted or shared sources; or rely on path-prefix restrictions to confine tool file access. Callers that confine these components to fully trusted inputs and first-party configuration are not affected.

Patches / mitigation

The affected components will canonicalize candidate paths (resolving symlinks) and verify the resolved real path remains within the configured root before reading or returning it; search patterns will be normalized so they cannot escape the root; configuration loaders will confine resolved path fields and reject symlink escapes unless the caller explicitly opts in to dangerous loading; and path-prefix checks will enforce a path-segment boundary. Path validation will be made operating-system-portable.

Compatibility

Callers that already pass only in-root paths, validated configuration, and trusted search inputs see no behavioral change. Callers that intentionally reference external paths can opt in via the existing dangerous-loading flag.

Operational guidance

Confine filesystem-backed agent tools to a dedicated directory and prefer running them sandboxed/containerized; validate path and identifier inputs where untrusted input enters; do not enable dangerous loading for configuration whose origin you do not control.

LangSmith / hosted deployments note

This issue concerns library components executed by agents.

Impact

  • Confidentiality: disclosure of file contents outside the intended root/sandbox.
  • Authorization: path-prefix bypass can grant access to sibling resources beyond the intended subtree.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

GHSA-GR75-JV2W-4656 has a CVSS score of 5.1 (Medium). The vector is requires local access, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.3.9, 1.4.6); upgrading removes the vulnerable code path.

Affected versions

langchain (<= 1.3.8) langchain-anthropic (<= 1.4.5)

Security releases

langchain → 1.3.9 (pip) langchain-anthropic → 1.4.6 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

langchain to 1.3.9 or later; langchain-anthropic to 1.4.6 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-GR75-JV2W-4656? GHSA-GR75-JV2W-4656 is a medium-severity path traversal vulnerability in langchain (pip), affecting versions <= 1.3.8. It is fixed in 1.3.9, 1.4.6. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is GHSA-GR75-JV2W-4656? GHSA-GR75-JV2W-4656 has a CVSS score of 5.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by GHSA-GR75-JV2W-4656?
    • langchain (pip) (versions <= 1.3.8)
    • langchain-anthropic (pip) (versions <= 1.4.5)
  4. Is there a fix for GHSA-GR75-JV2W-4656? Yes. GHSA-GR75-JV2W-4656 is fixed in 1.3.9, 1.4.6. Upgrade to this version or later.
  5. Is GHSA-GR75-JV2W-4656 exploitable, and should I be worried? Whether GHSA-GR75-JV2W-4656 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-GR75-JV2W-4656 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-GR75-JV2W-4656?
    • Upgrade langchain to 1.3.9 or later
    • Upgrade langchain-anthropic to 1.4.6 or later

Other vulnerabilities in langchain

CVE-2026-45134CVE-2025-68665CVE-2024-8309CVE-2024-7774CVE-2024-2965

Stop the waste.
Protect your environment with Kodem.