CVE-2023-32786

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Langchain versions 0.0.0 through 0.0.155 Langchain versions prior to 0.0.329

Description The issue allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing Server-Side Request Forgery (SSRF) and potentially injecting content into downstream tasks. This is achieved through prompt injection.

Recommendations For versions 0.0.0 through 0.0.155, update to version 0.0.329 or later. For versions prior to 0.0.329, update to version 0.0.329 or later. As a temporary workaround, consider restricting the ability to inject prompts that force the service to retrieve data from arbitrary URLs until a patch is available.

Fix

SSRF

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918CWE-74

Related Identifiers

CVE-2023-32786

GHSA-6H8P-4HX9-W66C

Affected Products

Langchain

CVE-2023-32786

Weakness Enumeration

Related Identifiers

Affected Products

References · 11