CVE-2024-8309
published 2024-10-29CVE-2024-8309: A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
13.80%
96.0th percentile
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langchain-ai | langchain-ai_langchain | >= unspecified < 0.3.0 | 0.3.0 |
| langchain | langchain | — | — |
| langchain | langchain | >= 0 < 0.2.0 | 0.2.0 |
| langchain | langchain | >= 0 < c2a3021bb0c5f54649d380b42a0684ca5778c255 | c2a3021bb0c5f54649d380b42a0684ca5778c255 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable class is GraphCypherQAChain in langchain-ai/langchain version 0.2.5; monitor for prompt injection payloads targeting this class that result in Cypher query manipulation (SQL/Cypher injection via prompt injection) ↗
- →Exploitation requires an exposed endpoint that accepts user inputs routed through GraphCypherQAChain; audit and monitor such endpoints for anomalous Cypher queries (e.g., CREATE, UPDATE, DELETE node/relationship operations not expected from normal usage) ↗
- →Attack surface includes multi-tenant environments; monitor for cross-tenant data access patterns or unexpected bulk data deletion (DoS via delete-all) originating from LangChain GraphCypherQAChain query execution ↗
- ·The GraphCypherQAChain class has explicit documentation requiring appropriate RBAC controls; absence of RBAC on the Neo4j/graph database backend is a prerequisite for successful exploitation — verify RBAC is enforced at the database layer ↗
- ·Policy-based LangChain frameworks lack cryptographic binding, meaning a compromised LLM can generate syntactically valid but semantically malicious Cypher calls that bypass policy checks — runtime verification outside the LLM is required ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.04.9MEDIUMCVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-8309: A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain-community version 0
osv·2024-11-05
CVE-2024-8309 CVE-2024-8309: A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain-community version 0
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain-community version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
GHSA
Langchain SQL Injection vulnerability
ghsa·2024-10-29
CVE-2024-8309 [LOW] CWE-74 Langchain SQL Injection vulnerability
Langchain SQL Injection vulnerability
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
OSV
Langchain SQL Injection vulnerability
osv·2024-10-29
CVE-2024-8309 [LOW] Langchain SQL Injection vulnerability
Langchain SQL Injection vulnerability
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
Red Hat
langchain: SQL Injection in langchain-ai/langchain
vendor_redhat·2024-10-29·CVSS 9.8
CVE-2024-8309 [CRITICAL] CWE-89 langchain: SQL Injection in langchain-ai/langchain
langchain: SQL Injection in langchain-ai/langchain
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
A security issue was discovered in the LangChain LLM framework. In certain configurations, an attacker may be able to execute a SQL injection attack via prompt injection. This may lead
No detection rules found.
No public exploits indexed.
arXiv
Cascade: Composing Software-Hardware Attack Gadgets for Adversarial Threat Amplification in Compound AI Systems
arxiv_fulltext·2026-03-12
Cascade: Composing Software-Hardware Attack Gadgets for Adversarial Threat Amplification in Compound AI Systems
Cascade: Composing Software-Hardware Attack Gadgets for Adversarial Threat Amplification in Compound AI Systems
Sarbartha Banerjee126,\;
Prateek Sahu12,\;
Anjo Vahldiek-Oberwagner3,\;
Jose Sanchez Vicarte5,\;
Mohit Tiwari24 0.3em
2The University of Texas at Austin \;\; 3Intel Labs \;\; 4Symmetry Systems \;\; 5Microsoft \;\; 6Georgia Tech
plain
1
Sarbartha Banerjee and Prateek Sahu are equal contributors.NoHyper
0.3in
## Abstract
Rapid progress in generative AI has given rise to Compound AI systems - pipelines comprised of multiple large language models (LLM), software tools and database systems.
Compound AI systems are constructed on a layered traditional software stack running on a distributed hardware infrastructure.
Many of the diverse software components are vulnerable to tradit
arXiv
Protecting Context and Prompts: Deterministic Security for Non-Deterministic AI
arxiv_fulltext·2026-02-11
Protecting Context and Prompts: Deterministic Security for Non-Deterministic AI
## Abstract
Large Language Model (LLM) applications are vulnerable to prompt injection and context manipulation attacks that traditional security models cannot prevent. We introduce two novel primitives---authenticated prompts and authenticated context---that provide cryptographically verifiable provenance across LLM workflows. Authenticated prompts enable self-contained lineage verification, while authenticated context uses tamper-evident hash chains to ensure integrity of dynamic inputs.
Building on these primitives, we formalize a policy algebra with four proven
theorems providing protocol-level Byzantine resistance—even adversarial agents
cannot violate organizational policies
Five complementary defenses---from lightweight resource controls to LLM-based semantic validation---deliver l
arXiv
LLM in the Middle: A Systematic Review of Threats and Mitigations to Real-World LLM-based Systems
arxiv_fulltext·2025-09-12
LLM in the Middle: A Systematic Review of Threats and Mitigations to Real-World LLM-based Systems
LLM in the Middle: A Systematic Review of Threats and \ to Real-World LLM-based Systems
Vitor Hugo Galhardo Moia\,0000-0003-0396-2873,
Igor Jochem Sanz\,0000-0002-1122-0784,
Gabriel Antonio Fontes Rebello\,0000-0003-3344-0734,
Rodrigo Duarte de Meneses\,0009-0008-7026-6863,
Briland Hitaj\,0000-0001-5925-3027, and
Ulf Lindqvist\,0009-0002-5941-0947
Vitor Hugo Galhardo Moia, Igor Jochem Sanz, Gabriel Antonio Fontes Rebello, and Rodrigo Duarte de Meneses are with Instituto de Pesquisas Eldorado, Av. Alan Turing, 275 - Cidade Universit\'aria, Campinas - SP, 13083-898, Brazil (e-mail: [email protected]; [email protected]; [email protected];
[email protected]
Briland Hitaj and Ulf Lindqvist are with the Computer Science Lab, SRI International, 333
arXiv
SoK: Understanding Vulnerabilities in the Large Language Model Supply Chain
arxiv_fulltext·2025-02-18
SoK: Understanding Vulnerabilities in the Large Language Model Supply Chain
SoK: Understanding Vulnerabilities in the Large Language Model Supply Chain
Shenao Wang , Yanjie Zhao , Zhao Liu , Quanchen Zou , Haoyu Wang
\ 0.5em]
Huazhong University of Science and Technology
360 AI Security Lab
## Abstract
Large Language Models (LLMs) transform artificial intelligence, driving advancements in natural language understanding, text generation, and autonomous systems. The increasing complexity of their development and deployment introduces significant security challenges, particularly within the LLM supply chain. However, existing research primarily focuses on content safety, such as adversarial attacks, jailbreaking, and backdoor attacks, while overlooking security vulnerabilities in the underlying software systems. To address this gap, this study systematically anal
Bugzilla
CVE-2024-8309 langchain: SQL Injection in langchain-ai/langchain
bugzilla·2024-10-29·CVSS 9.8
CVE-2024-8309 [CRITICAL] CVE-2024-8309 langchain: SQL Injection in langchain-ai/langchain
CVE-2024-8309 langchain: SQL Injection in langchain-ai/langchain
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
2024-10-29
Published