CVE-2023-32786

HIGH7.5EPSS 0.14%

Langchain Server-Side Request Forgery vulnerability

Published: 10/21/2023Modified: 2/16/2024

Description

In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.

Affected packages (1)

PyPI/langchainfrom 0, < 0.0.329

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-32786
PATCHhttps://github.com/langchain-ai/langchain
WEBhttps://gist.github.com/rharang/d265f46fc3161b31ac2e81db44d662e1
WEBhttps://github.com/langchain-ai/langchain/pull/12747
WEBhttps://github.com/langchain-ai/langchain/releases/tag/v0.0.329