CVE-2023-32785: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

October 20, 2023 (updated October 27, 2023)

In Langchain through 0.0.155, prompt injection allows execution of arbitrary code against the SQL service provided by the chain.

References

gist.github.com/rharang/9c58d39db8c01db5b7c888e467c0533f
github.com/advisories/GHSA-8h5w-f6q9-wg35
nvd.nist.gov/vuln/detail/CVE-2023-32785

Detect and mitigate CVE-2023-32785 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →