Search for packages
| purl | pkg:pypi/langchain@0.2.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-fdk5-mhqa-mqgw
Aliases: CVE-2024-7042 GHSA-6m59-8fmv-m5f9 PYSEC-2024-114 |
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database. |
Affected by 0 other vulnerabilities. |
|
VCID-hdc6-zar9-zkf2
Aliases: CVE-2024-5998 GHSA-f2jm-rw3h-6phg |
LangChain pickle deserialization of untrusted data A vulnerability in the `FAISS.deserialize_from_bytes` function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the `os.system` function. The issue affects versions prior to 0.2.10. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T05:22:38.811122+00:00 | GitLab Importer | Affected by | VCID-hdc6-zar9-zkf2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/langchain/CVE-2024-5998.yml | 38.6.0 |
| 2026-06-05T17:04:17.275143+00:00 | PyPI Importer | Affected by | VCID-fdk5-mhqa-mqgw | https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip | 38.6.0 |
| 2026-06-02T04:22:27.114625+00:00 | Pypa Importer | Affected by | VCID-fdk5-mhqa-mqgw | https://github.com/pypa/advisory-database/blob/main/vulns/langchain/PYSEC-2024-114.yaml | 38.6.0 |