Description
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection.
Recommendation
Update the @langchain/community package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.3
- Patched version(s): 0.3.3
References
Related Issues
- ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability - CVE-2024-39309
- FUXA SQL Injection vulnerability (GHSA-p46g-8c3q-89p2) - CVE-2023-31719
- FUXA SQL Injection vulnerability - CVE-2023-31717
- Langchain Path Traversal vulnerability - CVE-2024-7774
- Tags:
- npm
- @langchain/community
Anything's wrong? Let us know Last updated on November 01, 2024