Primary

Context

Langchaingo Server-Side Template Injection Vulnerability Allowing Unauthorized File Access

Vulnerability

A server-side template injection vulnerability has been identified in Langchaingo, specifically in versions that support Jinja2 syntax. This vulnerability arises from the use of the Gonja library, which allows templates to include and extend other files. An attacker can exploit this by injecting a statement into a prompt that reads the '/etc/passwd' file, leading to unauthorized access to sensitive file information.

Impact

Exploitation of this vulnerability allows for server-side template injection, where an attacker can manipulate template rendering to execute arbitrary code or access restricted files on the server.

Remediation

Langchaingo has introduced a patch that changes the prompt package to use a more secure default rendering context for Jinja2-compatible syntax. Users should update to the latest version of Langchaingo to apply this security enhancement.

Added: Sep 12, 2025, 2:17 PM

Updated: Sep 12, 2025, 2:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

7.4

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

7.4

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Langchaingo Server-Side Template Injection Vulnerability Allowing Unauthorized File Access

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating