LangChain langchain-core Template Injection via Attribute Access

Vulnerability Key Information Vulnerability Name Template Injection via Attribute Access in Prompt Templates Vulnerability Severity High (8.3/10) Affected Versions langchain_core (pip): - Affected versions: , , - Patched versions: , Vulnerability Description A template injection vulnerability exists in LangChain’s prompt template system, allowing attackers to access internal attributes of Python objects via template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables). Affected Components langchain-core package Template formats: - F-string templates ( ) — vulnerability fixed - Mustache templates ( ) — defensive hardening applied - Jinja2 templates ( ) — defensive hardening applied Impact Attackers can exploit controlled template strings (not just template variables) to: Access Python object attributes and internal attributes Extract sensitive information Potentially escalate to more severe attacks Attack Vectors 1. F-string template injection 2. Mustache template injection 3. Jinja2 template injection Root Cause Analysis 1. F-string templates use Python’s method without validating attribute access 2. Mustache templates use to access attributes without restricting access types 3. Jinja2 templates’ default environment allows access to non-underscore attributes/methods Scope of Impact Applications accepting template strings from untrusted sources Applications dynamically constructing prompt templates Applications allowing user-defined or user-created prompt templates Mitigation Measures F-string templates: Added strict validation, allowing only simple variable names Mustache and Jinja2 templates: Defensive hardening, restricting attribute access Risk Mitigation Immediate Actions: 1. Review code for template strings sourced from untrusted inputs 2. Upgrade to patched versions of 3. Ensure template structure is separated from user data Best Practices: Consider whether templates are necessary; using message objects directly may be safer Use Jinja2 templates only when template content is fully under your control

Goal Reached Thanks to every supporter — we hit 100%!

LangChain langchain-core Template Injection via Attribute Access

More from this source