7 matches found
CVE-2024-8309 SQL Injection in langchain-ai/langchain
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service DoS by deleting all data, breaches in multi-tenant securit...
CVE-2024-5998
A vulnerability in the FAISS.deserializefrombytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product...
CVE-2024-5998 Deserialization of Untrusted Data in langchain-ai/langchain
A vulnerability in the FAISS.deserializefrombytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product...
Denial of service in langchain-community
Denial of service in SitemapLoader Document Loader in the langchain-community package, affecting versions below 0.2.5. The parsesitemap method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap...
CVE-2024-2965
CVE-2024-2965 affects the LangChain SitemapLoader in langchain-ai/langchain. The parse_sitemap function lacks a guard against self-referential sitemap recursion, enabling an infinite recursion loop that can exhaust server resources and crash the Python process. Multiple trusted sources (NVD, Red ...
CVE-2024-3095 SSRF in Langchain Web Research Retriever in langchain-ai/langchain
A Server-Side Request Forgery SSRF vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This...
CVE-2024-1455 Billion Laughs Attack leading to DoS in langchain-ai/langchain
A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity XXE exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading t...