CVE-2024-8309

Name of the Vulnerable Software and Affected Versions: langchain-ai/langchain version 0.2.5 langchain-ai/langchain-community version 0.2.5

Description: A vulnerability in the GraphCypherQAChain class allows for SQL injection through prompt injection, leading to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

Recommendations: For langchain-ai/langchain version 0.2.5, consider disabling the GraphCypherQAChain class until a patch is available to prevent SQL injection attacks. For langchain-ai/langchain-community version 0.2.5, consider disabling the GraphCypherQAChain class until a patch is available to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.