Vulnerability Description
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Langchain | Langchain | < 0.3.1 |
Related Weaknesses (CWE)
References
- https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfPatch
- https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2dExploitThird Party Advisory
FAQ
What is CVE-2024-7042?
CVE-2024-7042 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability pe...
How severe is CVE-2024-7042?
CVE-2024-7042 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-7042?
Check the references section above for vendor advisories and patch information. Affected products include: Langchain Langchain.