CVE-2023-32786 — Langchain Server-Side Request Forgery vulnerability

Description

In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.

How to fix CVE-2023-32786

To remediate CVE-2023-32786, upgrade the affected package to a fixed version below.

PyPI/langchain—upgrade to 0.0.329 or later

Is CVE-2023-32786 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.0.329

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-32786
PATCHgithub.com/langchain-ai/langchain
WEBgist.github.com/rharang/d265f46fc3161b31ac2e81db44d662e1
WEBgithub.com/langchain-ai/langchain/pull/12747
WEB