Langchain-AI/Langchain.js GraphCypherQAChain Vulnerability: Unauthorized Data Manipulation and Exfiltration
CVE-2024-7042
9.8CRITICAL
What is CVE-2024-7042?
A vulnerability in the GraphCypherQAChain class of LangchainJS versions 0.2.5 and earlier enables prompt injection, which can lead to SQL injection attacks. This security flaw allows attackers to manipulate data unauthorizedly, potentially extracting sensitive information, disrupting service availability, and compromising data across multi-tenant environments. The flaw can result in unauthorized creation, updating, or deletion of database nodes and relationships, posing significant risks to data integrity and security.
Affected Version(s)
langchain-ai/langchainjs < 0.3.1
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
CVSS V3.0
Score:
4.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published