CVE-2025-45150 is a vulnerability identified in the LangChain-ChatGLM-Webui project, specifically in the commit ef829. The issue arises from insecure permissions that allow an attacker to arbitrarily view and download sensitive files by supplying a crafted request. This indicates a lack of proper access control mechanisms on the web interface or API endpoints, enabling unauthorized file access. The vulnerability does not specify affected versions, suggesting it may impact the current or recent versions of the software at the time of discovery. No CVSS score has been assigned yet, and there are no known exploits in the wild as of the publication date. The lack of patch links implies that a fix may not have been released or publicly disclosed at the time of this report. The vulnerability could be exploited remotely without authentication if the web interface is exposed, making it a significant risk for any deployment of this software that handles sensitive or confidential data. Attackers could leverage this flaw to exfiltrate critical files, potentially including configuration files, credentials, or user data, leading to confidentiality breaches and further system compromise.

For European organizations utilizing LangChain-ChatGLM-Webui, this vulnerability poses a substantial risk to data confidentiality and system integrity. Unauthorized access to sensitive files could lead to exposure of personal data protected under GDPR, resulting in legal and financial repercussions. Additionally, the ability to download arbitrary files could facilitate further attacks such as privilege escalation or lateral movement within the network. Organizations in sectors like finance, healthcare, and government, where sensitive information is prevalent, would be particularly vulnerable. The impact extends beyond data loss to potential reputational damage and operational disruption if critical system files are accessed or manipulated. Since the vulnerability does not require authentication, any exposed instance of the software on public or internal networks could be targeted, increasing the attack surface. The absence of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

1. Immediately restrict access to the LangChain-ChatGLM-Webui interface to trusted internal networks or VPNs to reduce exposure. 2. Implement strict access control policies and validate permissions on all file access endpoints to ensure users can only access authorized files. 3. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious crafted requests targeting file access. 4. Conduct thorough code reviews and security testing focusing on file permission handling and input validation in the affected commit and subsequent versions. 5. Monitor logs for unusual file access patterns or large data downloads from the web interface. 6. If possible, disable or isolate the vulnerable component until a patch or update is available. 7. Engage with the LangChain-ChatGLM-Webui development community or vendor for updates and patches addressing this vulnerability. 8. Educate system administrators and security teams about this vulnerability to ensure rapid detection and response.