CVE-2023-32786

The vulnerability lies in Langchain's APIChain module, which constructs URLs based on user prompts. An attacker can inject a new base URL into the prompt, causing the application to fetch data from an arbitrary URL instead of the intended API. This is a server-side request forgery (SSRF) flaw, as the application makes requests on behalf of the server. [1][4]

Exploitation requires no special privileges beyond the ability to provide a prompt to a Langchain-powered service. The attacker crafts a malicious prompt that overrides the intended API endpoint, as demonstrated in reference [4] where the base URL is changed to https://api.ipify.org?format=json to retrieve the server's external IP address. The service then fetches and processes the response from the attacker-controlled URL. [4]

Successful exploitation allows an attacker to make requests to internal or external URLs, potentially accessing sensitive internal resources (SSRF) or injecting attacker-controlled content into the LLM's downstream tasks. This could lead to data exfiltration, poisoning of subsequent LLM responses, or bypassing access controls. [1]

The vulnerability affects Langchain through version 0.0.155. Later versions, including release v0.0.329, have implemented fixes. Users are strongly advised to upgrade to a patched version to mitigate the risk. [2][3]