Palo Alto Networks researchers have identified two vulnerabilities (CVE-2023-46229 and CVE-2023-44467) in LangChain, a popular open source generative AI framework on GitHub. CVE-2023-44467 has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.
The vulnerabilities are:
- CVE-2023-46229: A Server Side Request Forgery (SSRF) vulnerability that could allow an attacker to manipulate the server into making HTTP requests to an arbitrary domain by exploiting the server’s ability to crawl from an external server to an internal server, resulting in unauthorised access to sensitive data.
- CVE-2023-44467: A prompt injection vulnerability that could allow an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via __import__ in Python code.
The vulnerabilities affect LangChain versions prior to 0.0.317.
Users and administrators of affected product versions are advised to update to the latest version immediately.
More information is available here:
https://unit42.paloaltonetworks.com/langchain-vulnerabilities/
https://www.recordedfuture.com/vulnerability-database/CVE-2023-46229
https://www.recordedfuture.com/vulnerability-database/CVE-2023-44467