CVE-2024-7042: Prompt Injection in langchain-ai/langchainjs Leading to SQL Injection

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-7042

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Prompt Injection in langchain-ai/langchainjs Leading to SQL Injection

Source: NVD (National Vulnerability Database)

Vulnerability Description

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

LangChain.js SQL注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

LangChain.js是LangChain开源的一个构建上下文感知推理应用程序。 LangChain.js 0.2.5及之前版本存在SQL注入漏洞，该漏洞源于允许即时注入，从而导致SQL注入，攻击者可以在未经适当授权的情况下创建、更新或删除节点和关系、提取敏感数据、破坏服务、跨不同租户访问数据并破坏数据库的完整性。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
langchain-ai	langchain-ai/langchainjs	unspecified ~ 0.3.1	-

II. Public POCs for CVE-2024-7042

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-7042

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: langchain-ai/langchainjs

CVE-2024-7774
Path Traversal in langchain-ai/langchainjs

Same vendor: langchain-ai

Same weakness: CWE-89

V. Comments for CVE-2024-7042

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-7042

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-7042

III. Intelligence Information for CVE-2024-7042

IV. Related Vulnerabilities

V. Comments for CVE-2024-7042

Leave a comment