PyPI: langchain-community

CVE-2024-8309

Safety vulnerability ID: SFTY-20241029-31535

Safety legacy ID: pyup.io-73959

Affected versions of langchain-ai/langchain are vulnerable to SQL injection through GraphCypherQAChain class. This vulnerability allows attackers to manipulate database queries via malicious input in prompts, potentially leading to unauthorized data access, manipulation, and cross-tenant data breaches. The vulnerability exists in the query processing logic of GraphCypherQAChain where user input is not properly sanitized. Successfully exploiting this requires access to the API endpoint.

PythonPyPINVDNVDGitHubGHSA
Created at: Nov 5, 2025Updated at: Nov 5, 2025

Overview

Langchain SQL Injection vulnerability

Advisory

Affected versions of langchain-ai/langchain are vulnerable to SQL injection through GraphCypherQAChain class. This vulnerability allows attackers to manipulate database queries via malicious input in prompts, potentially leading to unauthorized data access, manipulation, and cross-tenant data breaches. The vulnerability exists in the query processing logic of GraphCypherQAChain where user input is not properly sanitized. Successfully exploiting this requires access to the API endpoint.

Affected Package

Affecting langchain-community package, versions
>=0.2.0,<0.2.19

Also affects

---

How to Fix

Upgrade
langchain-community
to
0.2.19
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more