Langchain-Core Arbitrary File Read Vulnerability via ImagePromptTemplate

A vulnerability exists in langchain-core versions 0.1.17 prior to 0.1.53, 0.2.0 prior to 0.2.43, and 0.3.0 prior to 0.3.15. It allows unauthorized users to read arbitrary files from the host file system. This issue arises from the ability to create ImagePromptTemplate (and, by extension, ChatPromptTemplate) instances with input variables that can access any user-specified file path on the server. If the outputs of these prompt templates are exposed to users, either directly or through downstream model outputs, it can result in the leakage of sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of files from the host file system, potentially exposing sensitive information.

Reproduction

The vulnerability can be reproduced by creating a ChatPromptTemplate that includes a HumanMessagePromptTemplate with an image_url variable pointing to a file path on the server. When the prompt is invoked, it reads the file contents and encodes them in base64. This output can then be passed to a model, which, if using a compatible chat model, will respond based on the file contents, effectively leaking the file data.

Remediation

Users can upgrade to langchain-core versions 0.3.15, 0.2.43, or 0.1.53 to address this vulnerability.