GHSA-2mfg-cc43-9pcj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2mfg-cc43-9pcj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-2mfg-cc43-9pcj/GHSA-2mfg-cc43-9pcj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2mfg-cc43-9pcj
- Aliases
-
- CVE-2026-55405
- Published
- 2026-06-17T18:39:56Z
- Modified
- 2026-06-17T18:45:31.913100575Z
- Severity
-
- 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
- Summary
- LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector
- Details
-
Summary
The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter keys (and, in MariaDB, string values) directly into the query without adequate escaping. A crafted metadata key in
EmbeddingSearchRequest.filter()can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search andremoveAll(Filter)operations.Details
pgvector — JSON mode (default,
COMBINED_JSON/COMBINED_JSONB).JSONFilterMapperplaces the key inside a single-quoted SQL literal (the JSON key of the->>operator) with no escaping:(metadata->>'<key>')::textA key containing a single quote breaks out, e.g.
metadataKey("')::text IS NOT NULL OR pg_sleep(1) IS NOT NULL --")injects a livepg_sleep(1)(observable as a delay; exploitable for blind data extraction).pgvector — column mode (
COLUMN_PER_KEY).ColumnFilterMapperused the key as a bare, unquoted, unvalidated SQL identifier (<key>::<type>), so a key such as1=1 OR true --injects directly.MariaDB — JSON mode (default).
JSONFilterMapperplaced the key inside the JSON path literal'$.<key>'unescaped (same break-out mechanism). Additionally,MariaDbFilterMapper.formatValue()escaped'but not\; because MariaDB treats backslash as an escape character by default, a string value ending in a backslash could also break out of its literal.MariaDB — column mode (
COLUMN_PER_KEY).ColumnFilterMapperfell back to the raw, unescaped key when the driver could not quote it as an identifier (e.g. a character).The filter key is the runtime injection surface; both stores'
search()(including pgvector's HYBRID mode) andremoveAll(Filter)are affected. Add/upsert operations a parameterized and not affected.Impact
Applications that allow attacker-influenced metadata filter keys (e.g. use LLM-generated filters) to reach these stores are exposed to SQL injection: blind data exfiltration, denial of service via sleep functions, and — through `remove deletion of arbitrary rows. Applications using only hard-coded, developer-defined filter keys are not reachable.
Patches
Fixed in
langchain4j-mariadbandlangchain4j-pgvector1.16.3-beta26: - JSON filter keys are escaped before being embedded in the SQL string lit quotes doubled, correct for PostgreSQLstandard_conforming_strings = on; MariaDB: backslash and single quote). - MariaDB string values escape both\and'. - Column-mode keys are validated/quoted as identifiers and rejected when u concatenated as raw SQL.Workarounds
- Do not pass untrusted input as metadata filter keys.
- Restrict filter keys to a known allow-list at the application layer.
References
- pgvector:
JSONFilterMapper,ColumnFilterMapper - MariaDB:
JSONFilterMapper,MariaDbFilterMapper,ColumnFilterMapper
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-17T18:39:56Z", "nvd_published_at": null, "severity": "HIGH", "cwe_ids": [ "CWE-89" ] }- References
Affected packages
Maven
dev.langchain4j:langchain4j-mariadb
Package
- Name
- dev.langchain4j:langchain4j-mariadb
- View open source insights on deps.dev
- Purl
- pkg:maven/dev.langchain4j/langchain4j-mariadb
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.2.1-beta8
dev.langchain4j:langchain4j-mariadb
Package
- Name
- dev.langchain4j:langchain4j-mariadb
- View open source insights on deps.dev
- Purl
- pkg:maven/dev.langchain4j/langchain4j-mariadb
dev.langchain4j:langchain4j-mariadb
Package
- Name
- dev.langchain4j:langchain4j-mariadb
- View open source insights on deps.dev
- Purl
- pkg:maven/dev.langchain4j/langchain4j-mariadb
dev.langchain4j:langchain4j-mariadb
Package
- Name
- dev.langchain4j:langchain4j-mariadb
- View open source insights on deps.dev
- Purl
- pkg:maven/dev.langchain4j/langchain4j-mariadb
dev.langchain4j:langchain4j-pgvector
Package
- Name
- dev.langchain4j:langchain4j-pgvector
- View open source insights on deps.dev
- Purl
- pkg:maven/dev.langchain4j/langchain4j-pgvector
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.2.1-beta8
Affected versions
0.*
1.*
dev.langchain4j:langchain4j-pgvector
Package
- Name
- dev.langchain4j:langchain4j-pgvector
- View open source insights on deps.dev
- Purl
- pkg:maven/dev.langchain4j/langchain4j-pgvector
dev.langchain4j:langchain4j-pgvector
Package
- Name
- dev.langchain4j:langchain4j-pgvector
- View open source insights on deps.dev
- Purl
- pkg:maven/dev.langchain4j/langchain4j-pgvector
dev.langchain4j:langchain4j-pgvector
Package
- Name
- dev.langchain4j:langchain4j-pgvector
- View open source insights on deps.dev
- Purl
- pkg:maven/dev.langchain4j/langchain4j-pgvector