LangChain Template Injection Vulnerability in Prompt Templates Allowing Access to Python Object Internals

A template injection vulnerability has been identified in LangChain's prompt template system, specifically in versions through 0.3.79 and 1.0.0 to 1.0.6. This vulnerability allows attackers to access Python object internals through template syntax. It affects applications that accept untrusted template strings in 'ChatPromptTemplate' and related prompt template classes. The issue arises from improper validation of template strings, particularly in f-string templates, which can be exploited to access sensitive object attributes and internal properties.

Impact

Exploitation of this vulnerability allows for unauthorized access to Python object attributes and internal properties, such as '__class__' and '__globals__'. This could lead to the extraction of sensitive information, including environment variables, and potentially escalate to more severe attacks, depending on the objects passed to the templates.

Reproduction

The vulnerability can be reproduced by creating a 'ChatPromptTemplate' with an untrusted template string that includes attribute access or indexing. For example, using '{{question.__class__.__name__}}' in a Mustache template format can access the '__class__' attribute of a 'HumanMessage' object, which is a sensitive internal property.

Remediation

To address this vulnerability, update to LangChain versions 0.3.80 or 1.0.7, and review your application's template usage to ensure that untrusted input is not allowed to control template strings. For Jinja2 templates, which have been hardened but still pose some risk, reserve their use for trusted sources only.