CRITICAL🇵🇱 Wersja polska

CVE-2024-8309

CVSS 9.8v3.1pub. 2024-10-29upd. 2024-11-01

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

🤖 AI Analysis
How it works

An attacker can inject malicious instructions through the prompt injection mechanism, which are then passed without proper sanitization to queries executed by the GraphCypherQAChain class. Lack of proper input validation (CWE-89, CWE-74) allows embedding arbitrary commands in the context of graph database queries. As a result, an attacker can perform operations to create, modify, and delete nodes and relationships in the database without required authorization.

Impact

An attacker can conduct unauthorized exfiltration of sensitive data, delete all data causing a DoS attack, breach data isolation in multi-tenant environments, and compromise database integrity by creating, updating, or deleting nodes and relationships.

Mitigation & patch

Apply patches available from the vendor according to references — fix available in the GitHub repository under commit c2a3021bb0c5f54649d380b42a0684ca5778c255

Who is affected

langchain-ai/langchain version 0.2.5, GraphCypherQAChain component

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Langchain

    APP
    Langchain
    0.2.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiDoS
CWE
References

Related vulnerabilities

CVE-2025-2828CRITICAL10.0PL ✓ten sam produkt

SSRF w LangChain RequestsToolkit — dostęp do sieci wewnętrznej i metadanych chmury

CVE-2024-7042CRITICAL9.8PL ✓ten sam produkt

SQL injection przez prompt injection w LangChain GraphCypherQAChain

CVE-2023-39631CRITICAL9.8ten sam produkt

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluat...

CVE-2023-36281CRITICAL9.8ten sam produkt

An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_pro...

CVE-2023-38860CRITICAL9.8ten sam produkt

An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.