Описание
A SQL injection vulnerability exists in the langchain-ai/langchain repository, specifically in the LangGraph's SQLite store implementation. The affected version is langgraph-checkpoint-sqlite 2.0.10. The vulnerability arises from improper handling of filter operators ($eq, $ne, $gt, $lt, $gte, $lte) where direct string concatenation is used without proper parameterization. This allows attackers to inject arbitrary SQL, leading to unauthorized access to all documents, data exfiltration of sensitive fields such as passwords and API keys, and a complete bypass of application-level security filters.
A SQL injection vulnerability exists in LangGraph’s SQLite store implementation due to improper string concatenation when building filter conditions in the _get_filter_condition() function. The JSON key portion of the json_extract() path is directly concatenated into SQL statements without sanitization or parameterization. This allows an attacker who can control filter keys to inject arbitrary SQL expressions, bypass access controls, and retrieve sensitive data such as passwords or API keys from the database.
Отчет
Red Hat Product Security team has reviewed this issue and determined that it does not impact any of our products. The vulnerable component, LangGraph SQLite Checkpoint (langgraph-checkpoint-sqlite), is not shipped or included in any Red Hat product or offering. Since this package is not part of our supported codebase or dependencies, no Red Hat products are affected by this vulnerability. This vulnerability is classified as Important severity rather than Critical because, while it enables full data exposure and access-control bypass within the SQLite store, it does not lead to direct remote code execution or full system compromise. Exploitation requires the attacker to have access to the LangGraph API or a component that processes user-supplied filters, meaning it is not automatically exploitable over the network without prior access. Technically, the flaw results in SQL query manipulation confined to the application’s data layer, impacting confidentiality and integrity but not the execution flow or host environment. Technically, the bug is in get_filter_condition() where filter expressions are assembled by concatenating the JSON path key into a SQL fragment like json_extract(value, '$.') = ''; only the value is escaped (value.replace("'", "''")) while the key is inserted verbatim. Because the JSON path is embedded inside the SQL string, a crafted key containing quote characters and SQL payload (for example: access') = 'public' OR '1'='1' --) can close the path/string literal and append arbitrary SQL, turning a single-column equality check into a logical expression that matches all rows or extracts other fields via json_extract(...). Safe remediation requires eliminating runtime string concatenation of keys — either bind the entire JSON path as a parameter (e.g., json_extract(value, ?) with a bound f'$.{key}'), or map incoming filter keys to a server-side whitelist of trusted JSON paths; additionally validate keys with a strict pattern (e.g., ^[A-Za-z0-9.-]+$) and add unit/fuzz tests that assert malicious keys/values cannot alter generated SQL.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-supported-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-supported-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-dellemc-openmanage-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-minimal-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel9 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
A SQL injection vulnerability exists in the langchain-ai/langchain repository, specifically in the LangGraph's SQLite store implementation. The affected version is langgraph-checkpoint-sqlite 2.0.10. The vulnerability arises from improper handling of filter operators ($eq, $ne, $gt, $lt, $gte, $lte) where direct string concatenation is used without proper parameterization. This allows attackers to inject arbitrary SQL, leading to unauthorized access to all documents, data exfiltration of sensitive fields such as passwords and API keys, and a complete bypass of application-level security filters.
LangGraph's SQLite store implementation has a SQL Injection Vulnerability
EPSS
7.3 High
CVSS3