PT-2026-50596 · Maven · Dev.Langchain4J:Langchain4J-Mariadb+1
Publicado
2026-06-17
·
Atualizado
2026-06-17
·
CVE-2026-55405
CVSS v3.1
7.6
Alta
| Vetor | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L |
Summary
The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating
filter keys (and, in MariaDB, string values) directly into the query without adequate
escaping. A crafted metadata key in
EmbeddingSearchRequest.filter() can break out of its SQL
context and inject arbitrary SQL into the statements executed by the stores' search and
removeAll(Filter) operations.Details
pgvector — JSON mode (default,
COMBINED JSON / COMBINED JSONB). JSONFilterMapper
places the key inside a single-quoted SQL literal (the JSON key of the ->> operator) with no
escaping:(metadata->>'')::text
A key containing a single quote breaks out, e.g.
metadataKey("')::text IS NOT NULL OR pg sleep(1) IS NOT NULL --") injects a live pg sleep(1)
(observable as a delay; exploitable for blind data extraction).pgvector — column mode (
COLUMN PER KEY). ColumnFilterMapper used the key as a bare,
unquoted, unvalidated SQL identifier (<key>::<type>), so a key such as 1=1 OR true --
injects directly.MariaDB — JSON mode (default).
JSONFilterMapper placed the key inside the JSON path literal
'$.<key>' unescaped (same break-out mechanism). Additionally, MariaDbFilterMapper.formatValue()
escaped ' but not ``; because MariaDB treats backslash as an escape character by default, a
string value ending in a backslash could also break out of its literal.MariaDB — column mode (
COLUMN PER KEY). ColumnFilterMapper fell back to the raw,
unescaped key when the driver could not quote it as an identifier (e.g. a
character).The filter key is the runtime injection surface; both stores'
search() (including pgvector's
HYBRID mode) and removeAll(Filter) are affected. Add/upsert operations a
parameterized and not affected.Impact
Applications that allow attacker-influenced metadata filter keys (e.g. use
LLM-generated filters) to reach these stores are exposed to SQL injection: blind data
exfiltration, denial of service via sleep functions, and — through `remove
deletion of arbitrary rows. Applications using only hard-coded, developer-defined filter keys
are not reachable.
Patches
Fixed in
langchain4j-mariadb and langchain4j-pgvector 1.16.3-beta26:- JSON filter keys are escaped before being embedded in the SQL string lit
quotes doubled, correct for PostgreSQL
standard conforming strings = on; MariaDB: backslash and single quote). - MariaDB string values escape both `` and
'. - Column-mode keys are validated/quoted as identifiers and rejected when u concatenated as raw SQL.
Workarounds
- Do not pass untrusted input as metadata filter keys.
- Restrict filter keys to a known allow-list at the application layer.
References
- pgvector:
JSONFilterMapper,ColumnFilterMapper - MariaDB:
JSONFilterMapper,MariaDbFilterMapper,ColumnFilterMapper
Correção
SQL injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Dev.Langchain4J:Langchain4J-Mariadb
Dev.Langchain4J:Langchain4J-Pgvector