VDB
EN
HIGH 7.6

GHSA-2mfg-cc43-9pcj

LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector

상세

### Summary The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter **keys** (and, in MariaDB, string **values**) directly into the query without adequate escaping. A crafted metadata key in `EmbeddingSearchRequest.filter()` can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and `removeAll(Filter)` operations.

### Details **pgvector — JSON mode (default, `COMBINED_JSON` / `COMBINED_JSONB`).** `JSONFilterMapper` places the key inside a single-quoted SQL literal (the JSON key of the `->>` operator) with no escaping:

(metadata->>'<key>')::text

A key containing a single quote breaks out, e.g. `metadataKey("')::text IS NOT NULL OR pg_sleep(1) IS NOT NULL --")` injects a live `pg_sleep(1)` (observable as a delay; exploitable for blind data extraction).

**pgvector — column mode (`COLUMN_PER_KEY`).** `ColumnFilterMapper` used the key as a bare, unquoted, unvalidated SQL identifier (`<key>::<type>`), so a key such as `1=1 OR true --` injects directly.

**MariaDB — JSON mode (default).** `JSONFilterMapper` placed the key inside the JSON path literal `'$.<key>'` unescaped (same break-out mechanism). Additionally, `MariaDbFilterMapper.formatValue()` escaped `'` but not `\`; because MariaDB treats backslash as an escape character by default, a string value ending in a backslash could also break out of its literal.

**MariaDB — column mode (`COLUMN_PER_KEY`).** `ColumnFilterMapper` fell back to the raw, unescaped key when the driver could not quote it as an identifier (e.g. a character).

The filter key is the runtime injection surface; both stores' `search()` (including pgvector's HYBRID mode) and `removeAll(Filter)` are affected. Add/upsert operations a parameterized and not affected.

### Impact Applications that allow attacker-influenced metadata filter keys (e.g. use LLM-generated filters) to reach these stores are exposed to SQL injection: blind data exfiltration, denial of service via sleep functions, and — through `remove deletion of arbitrary rows. Applications using only hard-coded, developer-defined filter keys are not reachable.

### Patches Fixed in `langchain4j-mariadb` and `langchain4j-pgvector` 1.16.3-beta26: - JSON filter keys are escaped before being embedded in the SQL string lit quotes doubled, correct for PostgreSQL `standard_conforming_strings = on`; MariaDB: backslash and single quote). - MariaDB string values escape both `\` and `'`. - Column-mode keys are validated/quoted as identifiers and rejected when u concatenated as raw SQL.

### Workarounds - Do not pass untrusted input as metadata filter keys. - Restrict filter keys to a known allow-list at the application layer.

### References - pgvector: `JSONFilterMapper`, `ColumnFilterMapper` - MariaDB: `JSONFilterMapper`, `MariaDbFilterMapper`, `ColumnFilterMapper`

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Maven / dev.langchain4j:langchain4j-mariadb
최초 영향 버전: 0 수정 버전: 1.2.1-beta8
수정 # pom.xml: bump <version>1.2.1-beta8</version> for dev.langchain4j:langchain4j-mariadb
Maven / dev.langchain4j:langchain4j-mariadb
최초 영향 버전: 1.3.0-beta9 수정 버전: 1.5.1-beta11
수정 # pom.xml: bump <version>1.5.1-beta11</version> for dev.langchain4j:langchain4j-mariadb
Maven / dev.langchain4j:langchain4j-mariadb
최초 영향 버전: 1.6.0-beta12 수정 버전: 1.11.8-beta19
수정 # pom.xml: bump <version>1.11.8-beta19</version> for dev.langchain4j:langchain4j-mariadb
Maven / dev.langchain4j:langchain4j-mariadb
최초 영향 버전: 1.12.1-beta21 수정 버전: 1.16.3-beta26
수정 # pom.xml: bump <version>1.16.3-beta26</version> for dev.langchain4j:langchain4j-mariadb
Maven / dev.langchain4j:langchain4j-pgvector
최초 영향 버전: 0 수정 버전: 1.2.1-beta8
수정 # pom.xml: bump <version>1.2.1-beta8</version> for dev.langchain4j:langchain4j-pgvector
Maven / dev.langchain4j:langchain4j-pgvector
최초 영향 버전: 1.3.0-beta9 수정 버전: 1.5.1-beta11
수정 # pom.xml: bump <version>1.5.1-beta11</version> for dev.langchain4j:langchain4j-pgvector
Maven / dev.langchain4j:langchain4j-pgvector
최초 영향 버전: 1.6.0-beta12 수정 버전: 1.11.8-beta19
수정 # pom.xml: bump <version>1.11.8-beta19</version> for dev.langchain4j:langchain4j-pgvector
Maven / dev.langchain4j:langchain4j-pgvector
최초 영향 버전: 1.12.1-beta21 수정 버전: 1.16.3-beta26
수정 # pom.xml: bump <version>1.16.3-beta26</version> for dev.langchain4j:langchain4j-pgvector

참고