Langchain SQL Injection vulnerability

GHSA-45pg-36p6-83v9 · CVE-2024-8309 · PYSEC-2024-115

Published Oct 29, 2024 · Modified Nov 12, 2024

Description

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-8309
WEB https://github.com/langchain-ai/langchain/commit/64c317eba05fbac0c6a6fc5aa192bc0d7130972e
WEB https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255
PACKAGE https://github.com/langchain-ai/langchain
WEB https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-115.yaml
WEB https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes