Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2024-10940 | langchain-core: file read via prompt template inputs | langchain-core | 5.3 |
| CRITICAL | CVE-2025-2828 | LangChain RequestsToolkit: SSRF exposes cloud metadata | langchain | 10.0 |
| CRITICAL | CVE-2025-6853 | Langchain-Chatchat: path traversal in KB upload | langchain-chatchat | 9.8 |
| MEDIUM | CVE-2025-6854 | Langchain-Chatchat: path traversal in file API exposes host FS | langchain-chatchat | 4.3 |
| HIGH | CVE-2025-6855 | Langchain-Chatchat: path traversal exposes system files | langchain-chatchat | 8.8 |
| CRITICAL | CVE-2025-46059 | LangChain GmailToolkit: indirect prompt injection to RCE | 9.8 | |
| CRITICAL | CVE-2025-45150 | ChatGLM-Webui: arbitrary file read, no auth required | langchain-chatglm-webui | 9.8 |
| HIGH | CVE-2025-6984 | EverNoteLoader: XXE exposes host files in LangChain | langchain-community | 7.5 |
| CRITICAL | CVE-2025-9556 | langchaingo: Jinja2 SSTI allows host filesystem read | 9.8 | |
| MEDIUM | CVE-2025-58177 | n8n: stored XSS in LangChain chat trigger (public) | n8n | 5.4 |
| HIGH | CVE-2025-6985 | langchain-text-splitters: XXE enables arbitrary file read | langchain-text-splitters | 7.5 |
| HIGH | CVE-2025-8709 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| HIGH | CVE-2025-65106 | langchain-core: security flaw enables exploitation | langchain-core | - |
| HIGH | CVE-2025-68664 | langchain-core: Deserialization enables RCE | langchain_core | 8.2 |
| CRITICAL | CVE-2025-68665 | langchain.js: Deserialization enables RCE | langchain.js | 9.1 |
| LOW | CVE-2026-26013 | langchain-core: SSRF allows internal network access | langchain_core | 3.7 |
| MEDIUM | CVE-2026-26019 | langchain_community: SSRF allows internal network access | langchain_community | 4.1 |
| CRITICAL | CVE-2023-3686 | QuickAI: unauthenticated SQLi exposes OpenAI API keys | quickai_openai | 9.8 |
| HIGH | CVE-2024-34527 | SolidUI: OpenAI API key exposed via log print statement | 7.5 | |
| MEDIUM | CVE-2024-0451 | wpbot: missing auth exposes OpenAI account files | wpbot | 5.0 |