{"url":"http://public2.vulnerablecode.io/api/packages/34207?format=json","purl":"pkg:pypi/langchain@0.0.224","type":"pypi","namespace":"","name":"langchain","version":"0.0.224","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.3.1","latest_non_vulnerable_version":"0.3.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36921?format=json","vulnerability_id":"VCID-23um-cqks-tkc5","summary":"A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain-community version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.","references":[{"reference_url":"https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255"},{"reference_url":"https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41226?format=json","purl":"pkg:pypi/langchain@0.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.0"}],"aliases":["CVE-2024-8309","PYSEC-2024-115"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-23um-cqks-tkc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36518?format=json","vulnerability_id":"VCID-2cuv-kudj-c3cg","summary":"An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.","references":[{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/cadfce295f8a33828fc635c2e5ea28b883e5c992","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/cadfce295f8a33828fc635c2e5ea28b883e5c992"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/7700","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/langchain-ai/langchain/issues/7700"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/12427","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/12427"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/5640","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/langchain-ai/langchain/pull/5640"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.325","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.325"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-147.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-147.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39659","reference_id":"CVE-2023-39659","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39659"},{"reference_url":"https://github.com/advisories/GHSA-prgp-w7vf-ch62","reference_id":"GHSA-prgp-w7vf-ch62","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-prgp-w7vf-ch62"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34216?format=json","purl":"pkg:pypi/langchain@0.0.233","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-2cyy-g843-9qec"},{"vulnerability":"VCID-52vp-m7t5-hqas"},{"vulnerability":"VCID-5977-kuku-ebek"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-a2h3-qgax-qbdr"},{"vulnerability":"VCID-ayhd-z87z-jkbq"},{"vulnerability":"VCID-ctus-n9fc-gqhu"},{"vulnerability":"VCID-exkd-sryf-e3ad"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.233"},{"url":"http://public2.vulnerablecode.io/api/packages/40537?format=json","purl":"pkg:pypi/langchain@0.0.325","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.325"}],"aliases":["CVE-2023-39659","GHSA-prgp-w7vf-ch62","PYSEC-2023-147"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2cuv-kudj-c3cg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36463?format=json","vulnerability_id":"VCID-2cyy-g843-9qec","summary":"Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt.","references":[{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/4849","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/issues/4849"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/4849#issuecomment-1697896569","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/issues/4849#issuecomment-1697896569"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-92.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-92.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34541","reference_id":"CVE-2023-34541","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34541"},{"reference_url":"https://github.com/advisories/GHSA-6643-h7h5-x9wh","reference_id":"GHSA-6643-h7h5-x9wh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6643-h7h5-x9wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34232?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-52vp-m7t5-hqas"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-34541","GHSA-6643-h7h5-x9wh","PYSEC-2023-92"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2cyy-g843-9qec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36538?format=json","vulnerability_id":"VCID-52vp-m7t5-hqas","summary":"An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.","references":[{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/8363","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/langchain-ai/langchain/issues/8363"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/11302","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/langchain-ai/langchain/pull/11302"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.308","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.308"},{"reference_url":"https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7"},{"reference_url":"https://github.com/pydata/numexpr/issues/442","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/pydata/numexpr/issues/442"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39631","reference_id":"CVE-2023-39631","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39631"},{"reference_url":"https://github.com/advisories/GHSA-f73w-4m7g-ch9x","reference_id":"GHSA-f73w-4m7g-ch9x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f73w-4m7g-ch9x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35618?format=json","purl":"pkg:pypi/langchain@0.0.308","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.308"}],"aliases":["CVE-2023-39631","GHSA-f73w-4m7g-ch9x","PYSEC-2023-162","PYSEC-2023-163"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-52vp-m7t5-hqas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36477?format=json","vulnerability_id":"VCID-5977-kuku-ebek","summary":"An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.","references":[{"reference_url":"https://github.com/hwchase17/langchain/issues/5872","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hwchase17/langchain/issues/5872"},{"reference_url":"https://github.com/hwchase17/langchain/pull/6003","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hwchase17/langchain/pull/6003"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5872","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/issues/5872"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36188","reference_id":"CVE-2023-36188","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36188"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34232?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-52vp-m7t5-hqas"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-36188","PYSEC-2023-109"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5977-kuku-ebek"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36800?format=json","vulnerability_id":"VCID-964p-24u8-yucb","summary":"A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.","references":[{"reference_url":"https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82"},{"reference_url":"https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41231?format=json","purl":"pkg:pypi/langchain@0.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fdk5-mhqa-mqgw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.5"}],"aliases":["CVE-2024-2965","PYSEC-2024-118"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-964p-24u8-yucb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36472?format=json","vulnerability_id":"VCID-a2h3-qgax-qbdr","summary":"An issue in langchain v.0.0.199 allows an attacker to execute arbitrary code via the PALChain in the python exec method.","references":[{"reference_url":"https://github.com/hwchase17/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hwchase17/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5872","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/issues/5872"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5872#issuecomment-1697785619","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/issues/5872#issuecomment-1697785619"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/6003","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/6003"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/7870","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/7870"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36258","reference_id":"CVE-2023-36258","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36258"},{"reference_url":"https://github.com/advisories/GHSA-2qmj-7962-cjq8","reference_id":"GHSA-2qmj-7962-cjq8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2qmj-7962-cjq8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34232?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-52vp-m7t5-hqas"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-36258","GHSA-2qmj-7962-cjq8","PYSEC-2023-98"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a2h3-qgax-qbdr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36509?format=json","vulnerability_id":"VCID-ayhd-z87z-jkbq","summary":"An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt.","references":[{"reference_url":"http://langchain.com","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"http://langchain.com"},{"reference_url":"https://github.com/hwchase17/langchain","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/hwchase17/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e"},{"reference_url":"https://github.com/langchain-ai/langchain/commits/v0.0.236?after=4d8b48bdb3f17c764c5c2e3c7140071603869e74+34&branch=v0.0.236&qualified_name=refs%2Ftags%2Fv0.0.236","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commits/v0.0.236?after=4d8b48bdb3f17c764c5c2e3c7140071603869e74+34&branch=v0.0.236&qualified_name=refs%2Ftags%2Fv0.0.236"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5872","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/langchain-ai/langchain/issues/5872"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/6003","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/6003"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/7870","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/7870"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-138.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-138.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36095","reference_id":"CVE-2023-36095","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36095"},{"reference_url":"https://github.com/advisories/GHSA-gwqq-6vq7-5j86","reference_id":"GHSA-gwqq-6vq7-5j86","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gwqq-6vq7-5j86"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34219?format=json","purl":"pkg:pypi/langchain@0.0.236","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-2cyy-g843-9qec"},{"vulnerability":"VCID-52vp-m7t5-hqas"},{"vulnerability":"VCID-5977-kuku-ebek"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-a2h3-qgax-qbdr"},{"vulnerability":"VCID-ctus-n9fc-gqhu"},{"vulnerability":"VCID-exkd-sryf-e3ad"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236"}],"aliases":["CVE-2023-36095","GHSA-gwqq-6vq7-5j86","PYSEC-2023-138"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ayhd-z87z-jkbq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36478?format=json","vulnerability_id":"VCID-ctus-n9fc-gqhu","summary":"SQL injection vulnerability in langchain v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.","references":[{"reference_url":"https://gist.github.com/rharang/9c58d39db8c01db5b7c888e467c0533f","reference_id":"","reference_type":"","scores":[],"url":"https://gist.github.com/rharang/9c58d39db8c01db5b7c888e467c0533f"},{"reference_url":"https://github.com/hwchase17/langchain/issues/5923","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hwchase17/langchain/issues/5923"},{"reference_url":"https://github.com/hwchase17/langchain/pull/6051","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hwchase17/langchain/pull/6051"},{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5923","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/issues/5923"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/5923#issuecomment-1696053841","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/issues/5923#issuecomment-1696053841"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-110.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-110.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36189","reference_id":"CVE-2023-36189","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36189"},{"reference_url":"https://github.com/advisories/GHSA-7q94-qpjr-xpgm","reference_id":"GHSA-7q94-qpjr-xpgm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7q94-qpjr-xpgm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34232?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-52vp-m7t5-hqas"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-36189","GHSA-7q94-qpjr-xpgm","PYSEC-2023-110"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ctus-n9fc-gqhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36519?format=json","vulnerability_id":"VCID-exkd-sryf-e3ad","summary":"An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.","references":[{"reference_url":"https://github.com/hwchase17/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hwchase17/langchain"},{"reference_url":"https://github.com/hwchase17/langchain/issues/7641","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hwchase17/langchain/issues/7641"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/d353d668e4b0514122a443cef91de7f76fea4245","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/d353d668e4b0514122a443cef91de7f76fea4245"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/7641","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/langchain-ai/langchain/issues/7641"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8092","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/8092"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/8425","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/8425"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-145.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-145.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38860","reference_id":"CVE-2023-38860","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38860"},{"reference_url":"https://github.com/advisories/GHSA-fj32-q626-pjjc","reference_id":"GHSA-fj32-q626-pjjc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fj32-q626-pjjc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34232?format=json","purl":"pkg:pypi/langchain@0.0.247","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-52vp-m7t5-hqas"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247"}],"aliases":["CVE-2023-38860","GHSA-fj32-q626-pjjc","PYSEC-2023-145"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-exkd-sryf-e3ad"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36910?format=json","vulnerability_id":"VCID-fdk5-mhqa-mqgw","summary":"A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.","references":[{"reference_url":"https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6"},{"reference_url":"https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43763?format=json","purl":"pkg:pypi/langchain@0.3.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.3.1"}],"aliases":["CVE-2024-7042","PYSEC-2024-114"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fdk5-mhqa-mqgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36461?format=json","vulnerability_id":"VCID-j2kj-2axx-rqgr","summary":"Langchain 0.0.171 is vulnerable to Arbitrary Code Execution.","references":[{"reference_url":"https://github.com/hwchase17/langchain/issues/4833","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/hwchase17/langchain/issues/4833"},{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/a2f191a32229256dd41deadf97786fe41ce04cbb","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/a2f191a32229256dd41deadf97786fe41ce04cbb"},{"reference_url":"https://github.com/langchain-ai/langchain/issues/4833","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/issues/4833"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/6992","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/6992"},{"reference_url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.225","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/releases/tag/v0.0.225"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-91.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-91.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34540","reference_id":"CVE-2023-34540","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34540"},{"reference_url":"https://github.com/advisories/GHSA-x32c-59v5-h7fg","reference_id":"GHSA-x32c-59v5-h7fg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x32c-59v5-h7fg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34208?format=json","purl":"pkg:pypi/langchain@0.0.225","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-2cuv-kudj-c3cg"},{"vulnerability":"VCID-2cyy-g843-9qec"},{"vulnerability":"VCID-52vp-m7t5-hqas"},{"vulnerability":"VCID-5977-kuku-ebek"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-a2h3-qgax-qbdr"},{"vulnerability":"VCID-ayhd-z87z-jkbq"},{"vulnerability":"VCID-ctus-n9fc-gqhu"},{"vulnerability":"VCID-exkd-sryf-e3ad"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"},{"vulnerability":"VCID-mrfe-fcyn-1qg8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.225"}],"aliases":["CVE-2023-34540","GHSA-x32c-59v5-h7fg","PYSEC-2023-91"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j2kj-2axx-rqgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36747?format=json","vulnerability_id":"VCID-m5uw-4tqc-3ub8","summary":"LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution.","references":[{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/18600","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/18600"},{"reference_url":"https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28088","reference_id":"CVE-2024-28088","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28088"},{"reference_url":"https://github.com/advisories/GHSA-h59x-p739-982c","reference_id":"GHSA-h59x-p739-982c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-h59x-p739-982c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/40587?format=json","purl":"pkg:pypi/langchain@0.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.11"}],"aliases":["CVE-2024-28088","GHSA-h59x-p739-982c","PYSEC-2024-43","PYSEC-2024-45"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m5uw-4tqc-3ub8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36579?format=json","vulnerability_id":"VCID-mrfe-fcyn-1qg8","summary":"LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.","references":[{"reference_url":"https://github.com/langchain-ai/langchain","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain"},{"reference_url":"https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8"},{"reference_url":"https://github.com/langchain-ai/langchain/pull/11925","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/langchain-ai/langchain/pull/11925"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46229","reference_id":"CVE-2023-46229","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46229"},{"reference_url":"https://github.com/advisories/GHSA-655w-fm8m-m478","reference_id":"GHSA-655w-fm8m-m478","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-655w-fm8m-m478"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36585?format=json","purl":"pkg:pypi/langchain@0.0.317","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-23um-cqks-tkc5"},{"vulnerability":"VCID-964p-24u8-yucb"},{"vulnerability":"VCID-fdk5-mhqa-mqgw"},{"vulnerability":"VCID-m5uw-4tqc-3ub8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.317"}],"aliases":["CVE-2023-46229","GHSA-655w-fm8m-m478","PYSEC-2023-205"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mrfe-fcyn-1qg8"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.224"}