Threat Research

“Identifying Vulnerabilities in LangChain’s Generative AI”

Unit42

Palo Alto Networks researchers identified two critical vulnerabilities in LangChain: CVE-2023-46229, a server-side request forgery via SitemapLoader, and CVE-2023-44467, a prompt-injection flaw in LangChain Experimental’s PALChain. The report provides a technical examination, patch details, mitigations, and guidance for defenders deploying LangChain and related tooling.
#CVE-2023-46229 #CVE-2023-44467 #LangChain #LangChainExperimental #PALChain #SSRF #promptinjection #SitemapLoader

Keypoints

  • Two CVEs are identified: CVE-2023-46229 (SSRF) and CVE-2023-44467 (prompt injection) affecting LangChain and LangChain Experimental.
  • SSRF vulnerability arises from SitemapLoader’s sitemap scraping via urllib/BeautifulSoup, risking intranet data leakage and potential remote code execution.
  • LangChain patched CVE-2023-46229 in version 0.0.317 and added mitigations such as _extract_scheme_and_domain and an allowlist for domains.
  • CVE-2023-44467 affects PALChain in LangChain Experimental, enabling prompt injection to cause harmful code execution; warnings were issued on the PyPI page.
  • Mitigations include expanding the blocklist (PR 11233) and broader protections to limit code execution from generated prompts.
  • Defense guidance emphasizes updating LangChain, applying cloud and network protections (NGFW, Cortex XDR/XSIAM, Prisma Cloud), and monitoring for AI-driven abuses.
  • The report underscores broader security practices for AI deployments and the importance of community collaboration to strengthen protections.

MITRE Techniques

  • [T1203] Server-Side Request Forgery – Malicious actor could exploit SSRF via sitemap to access intranet resources and leak data. ‘A malicious actor could include URLs to intranet resources in the provided sitemap. This can result in SSRF and the unintentional leakage of sensitive data when content from the listed URLs is fetched and returned.’
  • [T1059] Command and Scripting Interpreter – Prompt injection allows manipulating input to PALChain to execute arbitrary commands, potentially bypassing restrictions on command execution. ‘Using prompt injection, an attacker can manipulate the input to the PALChain feature to execute arbitrary commands.’

Indicators of Compromise

  • [URL] context – LangChain resources and vulnerability references: https://www.langchain.com/langchain, https://github.com/langchain-ai/langchain/pull/11925, https://pypi.org/project/langchain-experimental/0.0.13/
  • [CVE] context – CVE-2023-46229, CVE-2023-44467
  • [Software Component] context – LangChain, LangChain Experimental, SitemapLoader, PALChain

Read more: https://unit42.paloaltonetworks.com/langchain-vulnerabilities/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint