A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
References
Link | Resource |
---|---|
https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6 | Patch |
https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d | Exploit Third Party Advisory |
Configurations
History
31 Oct 2024, 18:36
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | () https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6 - Patch | |
References | () https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d - Exploit, Third Party Advisory | |
Summary |
|
|
First Time |
Langchain
Langchain langchain |
|
CPE | cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:* |
29 Oct 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-29 13:15
Updated : 2024-10-31 18:36
NVD link : CVE-2024-7042
Mitre link : CVE-2024-7042
CVE.ORG link : CVE-2024-7042
JSON object : View
Products Affected
langchain
- langchain
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')