langchain@0.2.3-rc.0 vulnerabilities

Typescript bindings for langchain

Direct Vulnerabilities

Known vulnerabilities in the langchain package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
SQL Injection

langchain is a Typescript bindings for langchain

Affected versions of this package are vulnerable to SQL Injection via the default configuration of the GraphCypherQAChain class, by manipulating entities in the graph database through prompt injection.

How to fix SQL Injection?

Upgrade langchain to version 0.3.3 or higher.

<0.3.3
  • M
Arbitrary File Write via Archive Extraction (Zip Slip)

langchain is a Typescript bindings for langchain

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) in the getFullPath method, which allows an attacker to save files anywhere in the filesystem through the setFileContent function, overwrite and read existing text files through the getParsedFile function, and delete files through the mdelete function.

How to fix Arbitrary File Write via Archive Extraction (Zip Slip)?

Upgrade langchain to version 0.2.19 or higher.

<0.2.19