CVE-2023-32786 – langchain

Package

Manager: pip
Name: langchain
Vulnerable Version: >=0 <0.0.329

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00127 pctl0.32921

Details

Langchain Server-Side Request Forgery vulnerability In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.

Metadata

Created: 2023-10-21T00:30:47Z
Modified: 2023-11-02T21:07:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-6h8p-4hx9-w66c/GHSA-6h8p-4hx9-w66c.json
CWE IDs: ["CWE-74", "CWE-918"]
Alternative ID: GHSA-6h8p-4hx9-w66c
Finding: F100
Auto approve: 1