Multiple critical vulnerabilities impacting LangChain generative AI framework

Researchers from Palo Alto Networks have identified two vulnerabilities in LangChain, a popular open-source generative AI framework. LangChain is an open-source library designed to simplify the usage of large language models (LLMs) by providing composable building blocks, connectors to models, and integrations with third-party services. Its partner packages include major names in cloud, AI, databases, and tech development.

The reported vulnerabilities could allow attackers to execute arbitrary code and access sensitive data, respectively.

These vulnerabilities are tracked as:

• CVE-2023-46229 (CVSS score 9.3) - Server-side request forgery (SSRF) vulnerability in LangChain versions earlier than 0.0.317. This flaw allows attackers to obtain sensitive information from intranets, potentially bypassing access controls. It's patched in LangChain Experimental version 0.0.317. As mitigation, LangChain added the function _extract_scheme_and_domain and an allowlist to control permitted domains.

  • LangChain's SitemapLoader feature, which loads documents from third-party websites, lacked restrictions on the scope of sitemap access, resulting in an SSRF vulnerability. This could be exploited by including URLs to intranet resources in a sitemap, leading to data exfiltration.

    • Code Flow:
      • SitemapLoader class extends WebBaseLoader, accepting a URL (web_path) and parsing it as a sitemap.
      • The scrape_all method uses aiohttp.ClientSession.get to fetch content without filtering or sanitization.
      • Malicious actors could exploit this to access sensitive intranet APIs and obtain confidential information.
• CVE-2023-44467 (CVSS score: 9.8) - Prompt injection vulnerability in LangChain Experimental versions before 0.0.306. This flaw affects the PALChain feature, allowing attackers to execute harmful commands or code by exploiting PALChain's processing capabilities. It's patched in LangChain Experimental version 0.0.306. As a mitigation, LangChain expanded the blocklist to include additional functions and methods to prevent unauthorized code execution.

  • The PALChain feature of LangChain Experimental converts user queries into executable Python code. This feature is vulnerable to prompt injection attacks, allowing the execution of harmful commands

    • Code Flow:
      • The from_math_prompt method translates user queries into Python code.
      • Malicious inputs can bypass security checks and execute unauthorized commands using techniques like the built-in __import__() function.
      • LangChain's initial blocklist included only four functions (system, exec, execfile, and eval), which was insufficient to prevent all potential bypasses.

Users should update to the latest versions of LangChain (0.0.317) and LangChain Experimental (0.0.306), and apply blocklist to prevent the execution of the vulnerable functions.