Medium

langchainjs

Prompt Injection Leading to SQL Injection in GraphCypherQAChain Class

A vulnerability in the GraphCypherQAChain class of version 0.2.5 and all versions with this class allows prompt injection leading to SQL injection. This issue was patched in a later version.

Available publicly on Sep 26 2024

4.9

CVE:

CVE-2024-7042

CWE:

89:Improper Neutralization of Special Elements used in an SQL Command

CVSS:

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Credit:

liadlevy
AssessDetect

Premium

Remediate
Remediation Steps
  • Implement input sanitation or whitelist checks after extracting Cypher queries.
  • Add an opt-in flag for executing Cypher queries, set by default to False.
  • Update to the latest version where this vulnerability is patched.
  • Review and follow security recommendations for establishing permissions and robust security controls at the class level.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.