CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
langchain-experimental is vulnerable to Code Injection. The vulnerability is due to the use of ‘eval’ on all retrieved values from the database when the server is configured with VectorSQLDatabaseChain.
github.com/advisories/GHSA-cgcg-p68q-3w7v
github.com/langchain-ai/langchain/blob/672907bbbb7c38bf19787b78e4ffd7c8a9026fe4/libs/experimental/langchain_experimental/sql/vector_sql.py#L81
github.com/langchain-ai/langchain/blob/672907bbbb7c38bf19787b78e4ffd7c8a9026fe4/libs/experimental/langchain_experimental/sql/vector_sql.py%23L81
github.com/langchain-ai/langchain/commit/7b13292e3544b2f5f2bfb8a27a062ea2b0c34561
github.com/pypa/advisory-database/tree/main/vulns/langchain-experimental/PYSEC-2024-62.yaml