CVE-2024-7042 MEDIUM

CVE-2024-7042: Prompt Injection in langchain-ai/langchainjs Leading to SQL Injection

Vendor Langchain-Ai

Product langchain-ai/langchainjs

Weakness CWE-89 · SQLi

Published October 29, 2024

Last update October 15, 2025

View on NVD All CVEs

CVSS base score

4.9/10

Attack vector Local

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.

Key dates

02Disclosure timeline

October 29, 2024 CVE published

October 15, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-7042 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

Identifiers

CVE CVE-2024-7042

CWE CWE-89

CVSS 4.9 / MEDIUM

Affected versions