HIGH 7.5

GHSA-6h8p-4hx9-w66c

Langchain Server-Side Request Forgery vulnerability

Details

In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / langchain

Introduced in: 0 Fixed in: 0.0.329

Fix pip install --upgrade 'langchain>=0.0.329'

References

https://nvd.nist.gov/vuln/detail/CVE-2023-32786 [ADVISORY]
https://github.com/langchain-ai/langchain/pull/12747 [WEB]
https://gist.github.com/rharang/d265f46fc3161b31ac2e81db44d662e1 [WEB]
https://github.com/langchain-ai/langchain [PACKAGE]
https://github.com/langchain-ai/langchain/releases/tag/v0.0.329 [WEB]