CVE-2024-7042 — CRITICAL (CVSS 9.8) AI Security Vulnerability

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

N/A

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

Weaknesses (CWE)

CWE-89

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6
Patch
huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d
Exploit 3rd Party

Timeline

Published

October 29, 2024

Last Modified

October 31, 2024

First Seen

October 29, 2024