Langroid SQL Injection Vulnerability in SQLChatAgent Leading to Remote Code Execution

A critical vulnerability exists in Langroid versions prior to 0.63.0, specifically within the SQLChatAgent component. This issue allows for prompt injection that influences SQL execution by the agent. When the agent is granted a database role with code execution or filesystem access privileges, such as PostgreSQL's pg_execute_server_program, MySQL's FILE, or MSSQL's xp_cmdshell, an attacker can manipulate the agent's input to execute harmful commands. This exploitation can lead to remote code execution on the database host by using specific SQL dialect commands, like 'COPY ... FROM PROGRAM'. The vulnerability has been patched in version 0.63.0, which restricts SQLChatAgent to a whitelist of safe SQL operations and blocks dangerous patterns, although the previous unrestricted behavior can be restored for trusted deployments.

Impact

Exploitation of this vulnerability allows for remote code execution on the database server with the privileges of the database user. This could be used to execute arbitrary system commands, access or exfiltrate sensitive data, modify or delete database contents, or further compromise the underlying infrastructure.

Reproduction

The vulnerability can be reproduced by using a Langroid SQLChatAgent configured to connect to a PostgreSQL database. After encoding a crafted SQL command that exploits the vulnerability, the encoded string can be injected into a prompt that the language model processes. The model decodes the string and executes the SQL command, which can include dangerous operations like copying data from the filesystem into a database table, thereby demonstrating the remote code execution capability.

Remediation

Users can update to Langroid version 0.63.0 or later, where this vulnerability has been fixed. For those who need to maintain the previous behavior, it's recommended to thoroughly validate and monitor the inputs to the SQLChatAgent.