CRITICAL🇵🇱 Wersja polska

CVE-2024-7042

CVSS 9.8v3.1pub. 2024-10-29upd. 2024-10-31

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

🤖 AI Analysis
How it works

An attacker without any permissions and without user interaction can inject malicious data into the prompt handled by the GraphCypherQAChain class, resulting in execution of unintended database queries (SQL injection). Lack of proper input validation and sanitization allows manipulation of queries directed to the graph database. As a result, it is possible to create, modify, and delete nodes and relationships without authorization.

Impact

An attacker can perform unauthorized data manipulation, exfiltrate sensitive information, destroy all data in the database (DoS), gain access to data of other tenants in multi-tenant environments, and compromise the integrity of the entire database.

Mitigation & patch

Patches available from the vendor should be applied according to references — available fix commit: https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6. It is recommended to update the library to a version containing the fix as soon as possible.

Who is affected

langchain-ai/langchainjs version 0.2.5 and all versions containing the GraphCypherQAChain class

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Langchain

    APP
    Langchain
    < 0.3.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiDoS
CWE
References

Related vulnerabilities

CVE-2025-2828CRITICAL10.0PL ✓ten sam produkt

SSRF w LangChain RequestsToolkit — dostęp do sieci wewnętrznej i metadanych chmury

CVE-2024-8309CRITICAL9.8PL ✓ten sam produkt

SQL injection przez prompt injection w LangChain GraphCypherQAChain

CVE-2023-39631CRITICAL9.8ten sam produkt

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluat...

CVE-2023-36281CRITICAL9.8ten sam produkt

An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_pro...

CVE-2023-38860CRITICAL9.8ten sam produkt

An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.