The Librarian contains an information‑leakage vulnerability linked to its web_fetch tool. The tool allows an attacker to request any external URL, causing the application to fetch the content and potentially expose it. This can be used to proxy arbitrary requests through the Librarian’s infrastructure, effectively turning the service into a relay for malicious traffic or enabling the retrieval of sensitive information that shouldn’t be publicly accessed. The flaw represents an information exposure weakness that could expose data the application is not intended to disclose.

The L ibrarian.io product, known simply as The Librarian, is impacted. All releases prior to the vendor‑provided fix are vulnerable, and the vendor has released a patch that removes the flaw from every current version of the application.

The CVSS base score of 7.5 places the weakness in the high‑severity range. The EPSS score of less than 1% indicates a low likelihood of exploitation at present, and it is not currently listed in the CISA KEV catalog. The most likely attack route is a network‑based request: an attacker can supply a crafted URL to the web_fetch tool and cause The Librarian to retrieve arbitrary content, thereby using the system as a proxy or leaking external data. No privileged execution is required on the target system.