azure-search-openai-demo icon indicating copy to clipboard operation
azure-search-openai-demo copied to clipboard

Published 20 hours ago verified publisher icon Azure-Samples

Suggested LangChain version has known security vulnerability

Open LazaUK opened this issue 2 years ago • 0 comments

Dear All, original repo set requirements for langchain library to 0.0.78. Unfortunately, it's vulnerable to prompt injection attacks as can be verified through this reference in NIST vulnerabilities database: https://nvd.nist.gov/vuln/detail/CVE-2023-29374. It was patched only from v0.0.132, so suggested it as a minimum.

Purpose

  • There is known security vulnerability in suggested version of the library.

Does this introduce a breaking change?

[ ] Yes
[x] No

Pull Request Type

What kind of change does this Pull Request introduce?

[ ] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[x] Other... Please describe: Security

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • https://nvd.nist.gov/vuln/detail/CVE-2023-29374

Other Information

LazaUK avatar May 25 '23 17:05 LazaUK