Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/33225?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/33225?format=api", "purl": "pkg:pypi/langchain@0.0.83", "type": "pypi", "namespace": "", "name": "langchain", "version": "0.0.83", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.3.1", "latest_non_vulnerable_version": "0.3.1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36921?format=api", "vulnerability_id": "VCID-23um-cqks-tkc5", "summary": "A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain-community version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.", "references": [ { "reference_url": "https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255" }, { "reference_url": "https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41226?format=api", "purl": "pkg:pypi/langchain@0.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.0" } ], "aliases": [ "CVE-2024-8309", "PYSEC-2024-115" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-23um-cqks-tkc5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36518?format=api", "vulnerability_id": "VCID-2cuv-kudj-c3cg", "summary": "An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.", "references": [ { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/cadfce295f8a33828fc635c2e5ea28b883e5c992", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/cadfce295f8a33828fc635c2e5ea28b883e5c992" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/7700", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/langchain-ai/langchain/issues/7700" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/12427", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/12427" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/5640", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/langchain-ai/langchain/pull/5640" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.325", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.325" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-147.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-147.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39659", "reference_id": "CVE-2023-39659", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39659" }, { "reference_url": "https://github.com/advisories/GHSA-prgp-w7vf-ch62", "reference_id": "GHSA-prgp-w7vf-ch62", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-prgp-w7vf-ch62" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34216?format=api", "purl": "pkg:pypi/langchain@0.0.233", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-2cyy-g843-9qec" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-5977-kuku-ebek" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-a2h3-qgax-qbdr" }, { "vulnerability": "VCID-ayhd-z87z-jkbq" }, { "vulnerability": "VCID-ctus-n9fc-gqhu" }, { "vulnerability": "VCID-exkd-sryf-e3ad" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.233" }, { "url": "http://public2.vulnerablecode.io/api/packages/40537?format=api", "purl": "pkg:pypi/langchain@0.0.325", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.325" } ], "aliases": [ "CVE-2023-39659", "GHSA-prgp-w7vf-ch62", "PYSEC-2023-147" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2cuv-kudj-c3cg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36463?format=api", "vulnerability_id": "VCID-2cyy-g843-9qec", "summary": "Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt.", "references": [ { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/4849", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/issues/4849" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/4849#issuecomment-1697896569", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/issues/4849#issuecomment-1697896569" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-92.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-92.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34541", "reference_id": "CVE-2023-34541", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34541" }, { "reference_url": "https://github.com/advisories/GHSA-6643-h7h5-x9wh", "reference_id": "GHSA-6643-h7h5-x9wh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6643-h7h5-x9wh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34232?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-34541", "GHSA-6643-h7h5-x9wh", "PYSEC-2023-92" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2cyy-g843-9qec" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36414?format=api", "vulnerability_id": "VCID-3ve9-cev3-a7g5", "summary": "In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.", "references": [ { "reference_url": "https://github.com/hwchase17/langchain/issues/1026", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain/issues/1026" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/814", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain/issues/814" }, { "reference_url": "https://github.com/hwchase17/langchain/pull/1119", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain/pull/1119" }, { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-18.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-18.yaml" }, { "reference_url": "https://twitter.com/rharang/status/1641899743608463365/photo/1", "reference_id": "", "reference_type": "", "scores": [], "url": "https://twitter.com/rharang/status/1641899743608463365/photo/1" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29374", "reference_id": "CVE-2023-29374", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29374" }, { "reference_url": "https://github.com/advisories/GHSA-fprp-p869-w6q2", "reference_id": "GHSA-fprp-p869-w6q2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fprp-p869-w6q2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33277?format=api", "purl": "pkg:pypi/langchain@0.0.132", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-2cuv-kudj-c3cg" }, { "vulnerability": "VCID-2cyy-g843-9qec" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-5977-kuku-ebek" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-9d9u-r5kk-6fa4" }, { "vulnerability": "VCID-a2h3-qgax-qbdr" }, { "vulnerability": "VCID-ayhd-z87z-jkbq" }, { "vulnerability": "VCID-ctus-n9fc-gqhu" }, { "vulnerability": "VCID-dv6m-m6rf-4qa9" }, { "vulnerability": "VCID-exkd-sryf-e3ad" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-j2kj-2axx-rqgr" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.132" } ], "aliases": [ "CVE-2023-29374", "GHSA-fprp-p869-w6q2", "PYSEC-2023-18" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3ve9-cev3-a7g5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36538?format=api", "vulnerability_id": "VCID-52vp-m7t5-hqas", "summary": "An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.", "references": [ { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/8363", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/langchain-ai/langchain/issues/8363" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/11302", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/langchain-ai/langchain/pull/11302" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.308", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.308" }, { "reference_url": "https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7" }, { "reference_url": "https://github.com/pydata/numexpr/issues/442", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/pydata/numexpr/issues/442" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39631", "reference_id": "CVE-2023-39631", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39631" }, { "reference_url": "https://github.com/advisories/GHSA-f73w-4m7g-ch9x", "reference_id": "GHSA-f73w-4m7g-ch9x", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-f73w-4m7g-ch9x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35618?format=api", "purl": "pkg:pypi/langchain@0.0.308", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.308" } ], "aliases": [ "CVE-2023-39631", "GHSA-f73w-4m7g-ch9x", "PYSEC-2023-162", "PYSEC-2023-163" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-52vp-m7t5-hqas" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36477?format=api", "vulnerability_id": "VCID-5977-kuku-ebek", "summary": "An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.", "references": [ { "reference_url": "https://github.com/hwchase17/langchain/issues/5872", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain/issues/5872" }, { "reference_url": "https://github.com/hwchase17/langchain/pull/6003", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain/pull/6003" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5872", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/issues/5872" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36188", "reference_id": "CVE-2023-36188", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36188" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34232?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-36188", "PYSEC-2023-109" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5977-kuku-ebek" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36800?format=api", "vulnerability_id": "VCID-964p-24u8-yucb", "summary": "A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.", "references": [ { "reference_url": "https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82" }, { "reference_url": "https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41231?format=api", "purl": "pkg:pypi/langchain@0.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-fdk5-mhqa-mqgw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.5" } ], "aliases": [ "CVE-2024-2965", "PYSEC-2024-118" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-964p-24u8-yucb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36521?format=api", "vulnerability_id": "VCID-9d9u-r5kk-6fa4", "summary": "An issue in Harrison Chase langchain v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions.", "references": [ { "reference_url": "https://github.com/hwchase17/langchain/issues/5872", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/hwchase17/langchain/issues/5872" }, { "reference_url": "https://github.com/hwchase17/langchain/pull/6003", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/hwchase17/langchain/pull/6003" }, { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-146.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-146.yaml" }, { "reference_url": "https://twitter.com/llm_sec/status/1668711587287375876", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://twitter.com/llm_sec/status/1668711587287375876" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38896", "reference_id": "CVE-2023-38896", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38896" }, { "reference_url": "https://github.com/advisories/GHSA-92j5-3459-qgp4", "reference_id": "GHSA-92j5-3459-qgp4", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-92j5-3459-qgp4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34178?format=api", "purl": "pkg:pypi/langchain@0.0.195", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-2cuv-kudj-c3cg" }, { "vulnerability": "VCID-2cyy-g843-9qec" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-5977-kuku-ebek" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-a2h3-qgax-qbdr" }, { "vulnerability": "VCID-ayhd-z87z-jkbq" }, { "vulnerability": "VCID-ctus-n9fc-gqhu" }, { "vulnerability": "VCID-exkd-sryf-e3ad" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-j2kj-2axx-rqgr" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.195" }, { "url": "http://public2.vulnerablecode.io/api/packages/34219?format=api", "purl": "pkg:pypi/langchain@0.0.236", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-2cyy-g843-9qec" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-5977-kuku-ebek" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-a2h3-qgax-qbdr" }, { "vulnerability": "VCID-ctus-n9fc-gqhu" }, { "vulnerability": "VCID-exkd-sryf-e3ad" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236" } ], "aliases": [ "CVE-2023-38896", "GHSA-92j5-3459-qgp4", "PYSEC-2023-146" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9d9u-r5kk-6fa4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36472?format=api", "vulnerability_id": "VCID-a2h3-qgax-qbdr", "summary": "An issue in langchain v.0.0.199 allows an attacker to execute arbitrary code via the PALChain in the python exec method.", "references": [ { "reference_url": "https://github.com/hwchase17/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5872", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/issues/5872" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5872#issuecomment-1697785619", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/issues/5872#issuecomment-1697785619" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/6003", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/6003" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/7870", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/7870" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36258", "reference_id": "CVE-2023-36258", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36258" }, { "reference_url": "https://github.com/advisories/GHSA-2qmj-7962-cjq8", "reference_id": "GHSA-2qmj-7962-cjq8", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2qmj-7962-cjq8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34232?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-36258", "GHSA-2qmj-7962-cjq8", "PYSEC-2023-98" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a2h3-qgax-qbdr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36509?format=api", "vulnerability_id": "VCID-ayhd-z87z-jkbq", "summary": "An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt.", "references": [ { "reference_url": "http://langchain.com", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "http://langchain.com" }, { "reference_url": "https://github.com/hwchase17/langchain", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/hwchase17/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e" }, { "reference_url": "https://github.com/langchain-ai/langchain/commits/v0.0.236?after=4d8b48bdb3f17c764c5c2e3c7140071603869e74+34&branch=v0.0.236&qualified_name=refs%2Ftags%2Fv0.0.236", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commits/v0.0.236?after=4d8b48bdb3f17c764c5c2e3c7140071603869e74+34&branch=v0.0.236&qualified_name=refs%2Ftags%2Fv0.0.236" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5872", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/langchain-ai/langchain/issues/5872" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/6003", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/6003" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/7870", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/7870" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-138.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-138.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36095", "reference_id": "CVE-2023-36095", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36095" }, { "reference_url": "https://github.com/advisories/GHSA-gwqq-6vq7-5j86", "reference_id": "GHSA-gwqq-6vq7-5j86", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gwqq-6vq7-5j86" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34219?format=api", "purl": "pkg:pypi/langchain@0.0.236", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-2cyy-g843-9qec" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-5977-kuku-ebek" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-a2h3-qgax-qbdr" }, { "vulnerability": "VCID-ctus-n9fc-gqhu" }, { "vulnerability": "VCID-exkd-sryf-e3ad" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236" } ], "aliases": [ "CVE-2023-36095", "GHSA-gwqq-6vq7-5j86", "PYSEC-2023-138" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ayhd-z87z-jkbq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36478?format=api", "vulnerability_id": "VCID-ctus-n9fc-gqhu", "summary": "SQL injection vulnerability in langchain v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.", "references": [ { "reference_url": "https://gist.github.com/rharang/9c58d39db8c01db5b7c888e467c0533f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://gist.github.com/rharang/9c58d39db8c01db5b7c888e467c0533f" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/5923", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain/issues/5923" }, { "reference_url": "https://github.com/hwchase17/langchain/pull/6051", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain/pull/6051" }, { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5923", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/issues/5923" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5923#issuecomment-1696053841", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/issues/5923#issuecomment-1696053841" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-110.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-110.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36189", "reference_id": "CVE-2023-36189", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36189" }, { "reference_url": "https://github.com/advisories/GHSA-7q94-qpjr-xpgm", "reference_id": "GHSA-7q94-qpjr-xpgm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7q94-qpjr-xpgm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34232?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-36189", "GHSA-7q94-qpjr-xpgm", "PYSEC-2023-110" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ctus-n9fc-gqhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36525?format=api", "vulnerability_id": "VCID-dv6m-m6rf-4qa9", "summary": "An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the load_prompt parameter.", "references": [ { "reference_url": "https://aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/4394", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/hwchase17/langchain/issues/4394" }, { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/22abeb9f6cc555591bf8e92b5e328e43aa07ff6c", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/22abeb9f6cc555591bf8e92b5e328e43aa07ff6c" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/10252", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/10252" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.312", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.312" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-151.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-151.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36281", "reference_id": "CVE-2023-36281", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36281" }, { "reference_url": "https://github.com/advisories/GHSA-7gfq-f96f-g85j", "reference_id": "GHSA-7gfq-f96f-g85j", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-7gfq-f96f-g85j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34154?format=api", "purl": "pkg:pypi/langchain@0.0.171", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-2cuv-kudj-c3cg" }, { "vulnerability": "VCID-2cyy-g843-9qec" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-5977-kuku-ebek" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-9d9u-r5kk-6fa4" }, { "vulnerability": "VCID-a2h3-qgax-qbdr" }, { "vulnerability": "VCID-ayhd-z87z-jkbq" }, { "vulnerability": "VCID-ctus-n9fc-gqhu" }, { "vulnerability": "VCID-exkd-sryf-e3ad" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-j2kj-2axx-rqgr" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.171" }, { "url": "http://public2.vulnerablecode.io/api/packages/36580?format=api", "purl": "pkg:pypi/langchain@0.0.312", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.312" } ], "aliases": [ "CVE-2023-36281", "GHSA-7gfq-f96f-g85j", "PYSEC-2023-151" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dv6m-m6rf-4qa9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36519?format=api", "vulnerability_id": "VCID-exkd-sryf-e3ad", "summary": "An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.", "references": [ { "reference_url": "https://github.com/hwchase17/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/7641", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain/issues/7641" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/d353d668e4b0514122a443cef91de7f76fea4245", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/d353d668e4b0514122a443cef91de7f76fea4245" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/7641", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/langchain-ai/langchain/issues/7641" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8092", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/8092" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-145.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-145.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38860", "reference_id": "CVE-2023-38860", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38860" }, { "reference_url": "https://github.com/advisories/GHSA-fj32-q626-pjjc", "reference_id": "GHSA-fj32-q626-pjjc", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fj32-q626-pjjc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34232?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-38860", "GHSA-fj32-q626-pjjc", "PYSEC-2023-145" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-exkd-sryf-e3ad" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36910?format=api", "vulnerability_id": "VCID-fdk5-mhqa-mqgw", "summary": "A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.", "references": [ { "reference_url": "https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6" }, { "reference_url": "https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/43763?format=api", "purl": "pkg:pypi/langchain@0.3.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.3.1" } ], "aliases": [ "CVE-2024-7042", "PYSEC-2024-114" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fdk5-mhqa-mqgw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36461?format=api", "vulnerability_id": "VCID-j2kj-2axx-rqgr", "summary": "Langchain 0.0.171 is vulnerable to Arbitrary Code Execution.", "references": [ { "reference_url": "https://github.com/hwchase17/langchain/issues/4833", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/hwchase17/langchain/issues/4833" }, { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/a2f191a32229256dd41deadf97786fe41ce04cbb", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/a2f191a32229256dd41deadf97786fe41ce04cbb" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/4833", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/issues/4833" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/6992", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/6992" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.225", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.225" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-91.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-91.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34540", "reference_id": "CVE-2023-34540", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34540" }, { "reference_url": "https://github.com/advisories/GHSA-x32c-59v5-h7fg", "reference_id": "GHSA-x32c-59v5-h7fg", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x32c-59v5-h7fg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34208?format=api", "purl": "pkg:pypi/langchain@0.0.225", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-2cuv-kudj-c3cg" }, { "vulnerability": "VCID-2cyy-g843-9qec" }, { "vulnerability": "VCID-52vp-m7t5-hqas" }, { "vulnerability": "VCID-5977-kuku-ebek" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-a2h3-qgax-qbdr" }, { "vulnerability": "VCID-ayhd-z87z-jkbq" }, { "vulnerability": "VCID-ctus-n9fc-gqhu" }, { "vulnerability": "VCID-exkd-sryf-e3ad" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" }, { "vulnerability": "VCID-mrfe-fcyn-1qg8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.225" } ], "aliases": [ "CVE-2023-34540", "GHSA-x32c-59v5-h7fg", "PYSEC-2023-91" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j2kj-2axx-rqgr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36747?format=api", "vulnerability_id": "VCID-m5uw-4tqc-3ub8", "summary": "LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.", "references": [ { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/18600", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/18600" }, { "reference_url": "https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28088", "reference_id": "CVE-2024-28088", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28088" }, { "reference_url": "https://github.com/advisories/GHSA-h59x-p739-982c", "reference_id": "GHSA-h59x-p739-982c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-h59x-p739-982c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40587?format=api", "purl": "pkg:pypi/langchain@0.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.11" } ], "aliases": [ "CVE-2024-28088", "GHSA-h59x-p739-982c", "PYSEC-2024-43", "PYSEC-2024-45" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m5uw-4tqc-3ub8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36579?format=api", "vulnerability_id": "VCID-mrfe-fcyn-1qg8", "summary": "LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.", "references": [ { "reference_url": "https://github.com/langchain-ai/langchain", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/11925", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/langchain-ai/langchain/pull/11925" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46229", "reference_id": "CVE-2023-46229", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46229" }, { "reference_url": "https://github.com/advisories/GHSA-655w-fm8m-m478", "reference_id": "GHSA-655w-fm8m-m478", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-655w-fm8m-m478" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36585?format=api", "purl": "pkg:pypi/langchain@0.0.317", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23um-cqks-tkc5" }, { "vulnerability": "VCID-964p-24u8-yucb" }, { "vulnerability": "VCID-fdk5-mhqa-mqgw" }, { "vulnerability": "VCID-m5uw-4tqc-3ub8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.317" } ], "aliases": [ "CVE-2023-46229", "GHSA-655w-fm8m-m478", "PYSEC-2023-205" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mrfe-fcyn-1qg8" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.83" }