Skip to content

0.65.5

Choose a tag to compare

View all tags
@pchalasani pchalasani released this 15 Jun 00:25
· 4 commits to main since this release
0.65.5
403f927

0.65.5 — Security release

A security patch closing a prompt-injection-to-query-execution flaw in the
graph-database chat agents, Neo4jChatAgent (Cypher) and ArangoChatAgent
(AQL). Upgrading is strongly recommended for anyone exposing either agent to
untrusted input — directly, or indirectly via content the agent reads back
through RAG.

pip install -U langroid

Security fix

Neo4jChatAgent / ArangoChatAgent executed LLM-generated queries without validation

Advisory:
GHSA-2pq5-3q89-j7cc
— High

Neo4jChatAgent passed LLM-generated Cypher, and ArangoChatAgent passed
LLM-generated AQL, straight to the database driver with no validation and no
opt-out gate. Because the query text is influenceable by prompt injection, an
attacker who could steer the prompt could:

  • read or destroy all graph data (e.g. Cypher MATCH (n) DETACH DELETE n) and
    use the LOAD CSV remote-fetch (SSRF) primitive — present regardless of
    server configuration; and
  • escalate toward OS-command / filesystem access (config-conditional RCE) where
    APOC or dbms.security procedures (Neo4j), or user-defined functions / Foxx
    (Arango), are enabled on the database role.

This is the same defect class as the SQLChatAgent prompt-to-SQL-to-RCE issue
fixed in 0.63.0 (CVE-2026-25879); that fix did not extend to the graph-DB
agents.

Fix: both agents now mirror the SQLChatAgent controls. A new
allow_dangerous_operations config flag (default False) gates execution:

  • the retrieval tool is restricted to read-only queries (write/admin clauses
    are rejected);
  • the creation tool allows ordinary writes;
  • both tools reject code-execution / file / network primitives (LOAD CSV,
    apoc.*, dbms.*, CALL db.* for Cypher; user-defined namespace::func
    calls for AQL).

Validation runs at the tool handlers, so internal schema-introspection and
maintenance calls are unaffected. Reported by
@matte1782.

Behavior change

By default (allow_dangerous_operations=False), LLM-generated graph queries are
now restricted:

  • cypher_retrieval_tool / aql_retrieval_tool execute read-only queries; a
    write or admin clause is rejected and the reason is returned to the LLM.
  • cypher_creation_tool / aql_creation_tool still perform writes, but
    code-execution / file / network primitives are blocked.
  • To restore the previous unrestricted behavior (only safe with a
    least-privilege DB role and trusted prompts), set
    allow_dangerous_operations=True on Neo4jChatAgentConfig /
    ArangoChatAgentConfig.

Upgrade

pip install -U langroid

Full changelog:
0.65.4...0.65.5

Assets 4
Loading