Description

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

INFO

Published Date :

2024-10-29T12:50:13.198Z

Last Modified :

2025-10-15T12:50:40.456Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-8309 vulnerability.

Vendors Products
Langchain
  • Langchain
Langchain-ai
  • Langchain
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-8309.

URL Resource
https://api.python.langchain.com/en/latest/chains/langchain.chains.graph_qa.cypher.GraphCypherQAChain.html cve-icon
https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255 cve-icon cve-icon cve-icon
https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-8309 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-8309 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact