Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Network-reachable through the application; low complexity; PR:L because the attacker must reach a filter-accepting endpoint; C:H for blind exfiltration, I:L/A:L for bounded row deletion and pg_sleep DoS.
Primary rating from Vendor (https://github.com/langchain4j/langchain4j).
CVSS VectorVendor: https://github.com/langchain4j/langchain4j
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 maven packages depend on dev.langchain4j:langchain4j-pgvector (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.3.0-beta9.
DescriptionCVE.org
Summary
The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter keys (and, in MariaDB, string values) directly into the query without adequate escaping. A crafted metadata key in EmbeddingSearchRequest.filter() can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and removeAll(Filter) operations.
Details
pgvector - JSON mode (default, COMBINED_JSON / COMBINED_JSONB). JSONFilterMapper places the key inside a single-quoted SQL literal (the JSON key of the ->> operator) with no escaping:
(metadata->>'<key>')::text
A key containing a single quote breaks out, e.g. metadataKey("')::text IS NOT NULL OR pg_sleep(1) IS NOT NULL --") injects a live pg_sleep(1) (observable as a delay; exploitable for blind data extraction).
pgvector - column mode (COLUMN_PER_KEY). ColumnFilterMapper used the key as a bare, unquoted, unvalidated SQL identifier (<key>::<type>), so a key such as 1=1 OR true -- injects directly.
MariaDB - JSON mode (default). JSONFilterMapper placed the key inside the JSON path literal '$.<key>' unescaped (same break-out mechanism). Additionally, MariaDbFilterMapper.formatValue() escaped ' but not \; because MariaDB treats backslash as an escape character by default, a string value ending in a backslash could also break out of its literal.
MariaDB - column mode (COLUMN_PER_KEY). ColumnFilterMapper fell back to the raw, unescaped key when the driver could not quote it as an identifier (e.g. a character).
The filter key is the runtime injection surface; both stores' search() (including pgvector's HYBRID mode) and removeAll(Filter) are affected. Add/upsert operations a parameterized and not affected.
Impact
Applications that allow attacker-influenced metadata filter keys (e.g. use LLM-generated filters) to reach these stores are exposed to SQL injection: blind data exfiltration, denial of service via sleep functions, and - through `remove deletion of arbitrary rows. Applications using only hard-coded, developer-defined filter keys are not reachable.
Patches
Fixed in langchain4j-mariadb and langchain4j-pgvector 1.16.3-beta26:
- JSON filter keys are escaped before being embedded in the SQL string lit
quotes doubled, correct for PostgreSQL standard_conforming_strings = on; MariaDB: backslash and single quote).
- MariaDB string values escape both
\and'. - Column-mode keys are validated/quoted as identifiers and rejected when u
concatenated as raw SQL.
Workarounds
- Do not pass untrusted input as metadata filter keys.
- Restrict filter keys to a known allow-list at the application layer.
References
- pgvector:
JSONFilterMapper,ColumnFilterMapper - MariaDB:
JSONFilterMapper,MariaDbFilterMapper,ColumnFilterMapper
AnalysisAI
SQL injection in LangChain4j's langchain4j-mariadb and langchain4j-pgvector embedding stores allows authenticated attackers who can influence metadata filter keys to execute arbitrary SQL via EmbeddingSearchRequest.filter(), enabling blind data exfiltration, denial of service through sleep functions, and deletion of arbitrary rows via removeAll(Filter). The flaw stems from string-concatenated filter keys (and MariaDB string values) being placed into SQL without escaping, and is particularly relevant where filter keys originate from LLM-generated output or untrusted user input. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The application must call EmbeddingSearchRequest.filter() (or removeAll(Filter)) using either langchain4j-pgvector or langchain4j-mariadb at a vulnerable version, AND the filter key string must be derived from attacker-influenced input - most commonly LLM-generated filters from a tool/agent pipeline, but also any user-supplied metadata key passed through without an allow-list. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L (7.6 High) reflects network reachability through whatever application surface forwards user input into a metadata filter, low complexity, and a requirement that the attacker has some way to influence filter keys (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An application exposes a chat or agent endpoint that translates user requests into vector-store metadata filters via an LLM and forwards the generated key into LangChain4j's pgvector embedding store. The attacker submits a prompt that induces the LLM (or directly supplies, via a tool-call argument) a metadata key such as `')::text IS NOT NULL OR pg_sleep(5) IS NOT NULL --`, which breaks out of the JSON key literal and is executed by search(); the attacker then iteratively uses boolean/time-based payloads to exfiltrate row data, or injects a payload through removeAll(Filter) to delete arbitrary embeddings. … |
| Remediation | Vendor-released patch: upgrade langchain4j-mariadb and langchain4j-pgvector to 1.16.3-beta26 (or the matching branch fix: 1.2.1-beta8, 1.5.1-beta11, or 1.11.8-beta19 if pinned to an older line) per https://github.com/langchain4j/langchain4j/security/advisories/GHSA-2mfg-cc43-9pcj, which escapes JSON filter keys (doubled single quotes for PostgreSQL with standard_conforming_strings=on; backslash and single quote for MariaDB), escapes both backslash and single quote in MariaDB string values, and validates or quotes column-mode keys as identifiers rather than concatenating them as raw SQL. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all applications using langchain4j-mariadb or langchain4j-pgvector and document their exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43027
GHSA-2mfg-cc43-9pcj