CVE-2024-8309

Source
https://cve.org/CVERecord?id=CVE-2024-8309
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8309.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-8309
Aliases
Downstream
Published
2024-10-29T12:50:13.198Z
Modified
2026-07-15T01:48:49.730161405Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
SQL Injection in langchain-ai/langchain
Details

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

Database specific
{
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/8xxx/CVE-2024-8309.json",
    "cna_assigner": "@huntr_ai"
}
References

Affected packages

Git / github.com/langchain-ai/langchain

Affected ranges

Type
GIT
Repo
https://github.com/langchain-ai/langchain
Events
Database specific
{
    "cpe": "cpe:2.3:a:langchain:langchain:0.2.5:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.2.5"
        },
        {
            "last_affected": "0.2.5"
        }
    ],
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.2.5
langchain-ai21==0.*
langchain-ai21==0.1.7
langchain-anthropic==0.*
langchain-anthropic==0.1.16
langchain-anthropic==0.1.17
langchain-anthropic==0.1.18
langchain-anthropic==0.1.19
langchain-anthropic==0.1.20
langchain-anthropic==0.1.21
langchain-anthropic==0.1.22
langchain-anthropic==0.1.23
langchain-box==0.*
langchain-box==0.1.0
langchain-chroma==0.*
langchain-chroma==0.1.2
langchain-cli==0.*
langchain-cli==0.0.26
langchain-cli==0.0.27
langchain-cli==0.0.28
langchain-cli==0.0.29
langchain-cli==0.0.30
langchain-community==0.*
langchain-community==0.2.10
langchain-community==0.2.11
langchain-community==0.2.12
langchain-community==0.2.13
langchain-community==0.2.14
langchain-community==0.2.15
langchain-community==0.2.16
langchain-community==0.2.17
langchain-community==0.2.5
langchain-community==0.2.6
langchain-community==0.2.7
langchain-community==0.2.9
langchain-core==0.*
langchain-core==0.2.10
langchain-core==0.2.11
langchain-core==0.2.12
langchain-core==0.2.13
langchain-core==0.2.15
langchain-core==0.2.16
langchain-core==0.2.17
langchain-core==0.2.18
langchain-core==0.2.19
langchain-core==0.2.20
langchain-core==0.2.21
langchain-core==0.2.22
langchain-core==0.2.23
langchain-core==0.2.24
langchain-core==0.2.25
langchain-core==0.2.26
langchain-core==0.2.27
langchain-core==0.2.28
langchain-core==0.2.29
langchain-core==0.2.29rc1
langchain-core==0.2.30
langchain-core==0.2.31
langchain-core==0.2.32
langchain-core==0.2.33
langchain-core==0.2.34
langchain-core==0.2.35
langchain-core==0.2.36
langchain-core==0.2.37
langchain-core==0.2.38
langchain-core==0.2.39
langchain-core==0.2.40
langchain-core==0.2.8
langchain-core==0.2.9
langchain-couchbase==0.*
langchain-couchbase==0.1.0
langchain-couchbase==0.1.1
langchain-experimental==0.*
langchain-experimental==0.0.61
langchain-experimental==0.0.62
langchain-experimental==0.0.63
langchain-experimental==0.0.64
langchain-experimental==0.0.65
langchain-fireworks==0.*
langchain-fireworks==0.1.4
langchain-fireworks==0.1.5
langchain-fireworks==0.1.6
langchain-fireworks==0.1.7
langchain-groq==0.*
langchain-groq==0.1.10
langchain-groq==0.1.6
langchain-groq==0.1.8
langchain-groq==0.1.9
langchain-ibm==0.*
langchain-ibm==0.1.8
langchain-ibm==0.1.9
langchain-milvus==0.*
langchain-milvus==0.1.2
langchain-milvus==0.1.3
langchain-milvus==0.1.4
langchain-mistralai==0.*
langchain-mistralai==0.1.10
langchain-mistralai==0.1.11
langchain-mistralai==0.1.12
langchain-mistralai==0.1.13
langchain-mistralai==0.1.9
langchain-mongodb==0.*
langchain-mongodb==0.1.7
langchain-mongodb==0.1.8
langchain-mongodb==0.1.9
langchain-ollama==0.*
langchain-ollama==0.1.0
langchain-ollama==0.1.1
langchain-ollama==0.1.2
langchain-ollama==0.1.3
langchain-openai==0.*
langchain-openai==0.1.10
langchain-openai==0.1.11
langchain-openai==0.1.12
langchain-openai==0.1.13
langchain-openai==0.1.14
langchain-openai==0.1.15
langchain-openai==0.1.16
langchain-openai==0.1.17
langchain-openai==0.1.19
langchain-openai==0.1.20
langchain-openai==0.1.21
langchain-openai==0.1.21rc1
langchain-openai==0.1.21rc2
langchain-openai==0.1.22
langchain-openai==0.1.23
langchain-openai==0.1.24
langchain-openai==0.1.25
langchain-openai==0.1.9
langchain-pinecone==0.*
langchain-pinecone==0.1.2
langchain-pinecone==0.1.3
langchain-prompty==0.*
langchain-prompty==0.0.3
langchain-qdrant==0.*
langchain-qdrant==0.1.2
langchain-qdrant==0.1.3
langchain-robocorp==0.*
langchain-robocorp==0.0.10
langchain-text-splitters==0.*
langchain-text-splitters==0.2.2
langchain-text-splitters==0.2.4
langchain-together==0.*
langchain-together==0.1.4
langchain-together==0.1.5
langchain-unstructured==0.*
langchain-unstructured==0.1.0
langchain-unstructured==0.1.1
langchain-unstructured==0.1.2
langchain==0.*
langchain==0.2.10
langchain==0.2.11
langchain==0.2.12
langchain==0.2.13
langchain==0.2.14
langchain==0.2.15
langchain==0.2.16
langchain==0.2.5
langchain==0.2.6
langchain==0.2.7
langchain==0.2.8
langchain==0.2.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8309.json"