Skip to content
ATR-2026-00554high提示注入experimental

LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

GitHub Security Advisory GHSA-6qv9-48xg-fc7f (CVE-2025-65106). LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

嚴重度
high
類別
提示注入
掃描目標
runtime
作者
ATR Community (GHSA sync)

建議回應

alert

參考資料

OWASP Agentic
ASI01:2026 - Agent Goal Hijack
OWASP LLM
LLM01:2025 - Prompt Injection
MITRE ATLAS
AML.T0051 - LLM Prompt Injection

偵測條件

組合方式: any
  1. 01
    Server-side template injection via Python dunder/builtins traversal
    欄位: content運算子: regex

攻擊範例(規則會觸發)

  1. {{config.__class__.__init__.__globals__['os'].environ}}
  2. {{ ''.__class__.__mro__[1].__subclasses__() }}
  3. {{user.session.__dict__}}

以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。

正常樣本(規則不會觸發)

  1. benign template 1
    {{ user.name }}
  2. benign template 2
    {{order.total}} items
  3. benign template 3
    Hello {first_name}
  4. benign template 4
    import os

完整 YAML 定義

在 GitHub 編輯 →
title: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
id: ATR-2026-00554
rule_version: 1
status: experimental
description: 'GitHub Security Advisory GHSA-6qv9-48xg-fc7f (CVE-2025-65106). LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

  '
author: ATR Community (GHSA sync)
date: 2026/06/01
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
  cve:
  - CVE-2025-65106
  cwe:
  - CWE-1336
  ghsa:
  - GHSA-6qv9-48xg-fc7f
  external:
  - https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f
  - https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a
  - https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00
  - https://nvd.nist.gov/vuln/detail/CVE-2025-65106
  - https://github.com/advisories/GHSA-6qv9-48xg-fc7f
  owasp_llm:
    - LLM01:2025 - Prompt Injection
  owasp_agentic:
    - ASI01:2026 - Agent Goal Hijack
  mitre_atlas:
    - AML.T0051 - LLM Prompt Injection
metadata_provenance:
  ghsa: ghsa-sync
  cve: ghsa-sync
  cwe: ghsa-sync
compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
      strength: secondary
    - article: "14"
      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) would bypass or undermine that oversight."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MS.2.7"
      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
      strength: primary
    - subcategory: "MG.2.3"
      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) so the risk can be treated."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
      strength: primary
    - clause: "6.2"
      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) is such a treatment."
      strength: secondary
tags:
  category: prompt-injection
  scan_target: runtime
  confidence: high
agent_source:
  type: llm_io
  framework:
  - any
  provider:
  - any
detection:
  condition: any
  false_positives: []
  conditions:
  - field: content
    operator: regex
    value: (?i)\{\{?[^{}]*\b__(?:class|globals|import|builtins|subclasses|init|mro|base|dict|reduce|getattribute|subclasshook)__[^{}]*\}?\}
    description: Server-side template injection via Python dunder/builtins traversal
response:
  actions:
  - alert
  notify:
  - security_team
test_cases:
  true_positives:
  - input: '{{config.__class__.__init__.__globals__[''os''].environ}}'
    expected: triggered
    description: SSTI dunder payload 1
  - input: '{{ ''''.__class__.__mro__[1].__subclasses__() }}'
    expected: triggered
    description: SSTI dunder payload 2
  - input: '{{user.session.__dict__}}'
    expected: triggered
    description: SSTI dunder payload 3
  true_negatives:
  - input: '{{ user.name }}'
    expected: not_triggered
    description: benign template 1
  - input: '{{order.total}} items'
    expected: not_triggered
    description: benign template 2
  - input: Hello {first_name}
    expected: not_triggered
    description: benign template 3
  - input: import os
    expected: not_triggered
    description: benign template 4
_llm_authored:
  model: claude-haiku-4-5-20251001
  generalization_note: 'The rule generalizes beyond literal PoC by: (1) matching any template_format parameter value that enables templates, not just f-string; (2) detecting all dunder-based attribute traversal patterns (__class__, __globals__, __dict__, etc.) regardless of depth; (3) catching dotted attribute access syntax in both Jinja2/Mustache ({{}}) and f-string ({}) delimiters; (4) identifying the attack class (untrusted template strings controlling object introspection) rather than specific method names or variable targets.'
  note: Generation-time LLM authoring; verified by deterministic gate. Runtime detection is pure regex. Human review required before merge.

修訂歷史

建立於
2026-06-01
最後修改
2026-07-15
在 GitHub 查看完整 commit 歷史 →