Medium

langchain

Prompt Injection Leading to SQL Injection in GraphCypherQAChain

A vulnerability in version 0.2.5 of the GraphCypherQAChain class allows prompt injection, leading to SQL injection. This issue was patched in a later version.

4.9

CVE:

CVE-2024-8309

CWE:

89:Improper Neutralization of Special Elements used in an SQL Command

CVSS:

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Credit:

liadlevy
AssessDetect

Premium

Remediate
Remediation Steps
  • Add an opt-in flag set by default to False, similar to the implementation in BaseRequestsTool.
  • Sanitize user input before execution or implement whitelisting of actions.
  • Update the official documentation to include security notes and recommendations.
  • Apply the patch provided in the later version of the software.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.