CVE-2024-7042

CVSS V2 None CVSS V3 None

Description

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

Overview

CVE ID
CVE-2024-7042

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-10-29T12:50:05.375Z

Last Modified Date
2024-10-29T18:13:22.249Z

Weakness Enumerations

CWE	URL
CWE-89	http://cwe.mitre.org/data/definitions/89.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/b612defb-1104-4fff-9fef-001ab07c7b2d
https://github.com/langchain-ai/langchainjs/commit/615b9d9ab30a2d23a2f95fb8d7acfdf4b41ad7a6

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-7042
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7042

History

Created	Old Value	New Value	Data Type	Notes
2024-10-30 13:17:18				Added to TrackCVE