AI Sec Watch

LangChain Core has a path traversal vulnerability (a security flaw where attackers can access files outside intended directories using '../' sequences or absolute paths) in legacy functions that load prompt configurations from files. When an application accepts user-influenced prompt configs and passes them to `load_prompt()` or `load_prompt_from_config()`, attackers can read arbitrary files like secret credentials or configuration files, though they're limited to specific file types (.txt, .json, .yaml).

Langflow had a vulnerability where the code checking if a user owned a flow was missing when authentication was enabled, allowing any authenticated user to read, modify, or delete flows belonging to other users, including stealing embedded API keys. The fix removes the conditional logic and always checks that the requesting user owns the flow before allowing any operation.

The @mobilenext/mobile-mcp package has a path traversal vulnerability (a security flaw where an attacker can write files outside the intended directory by using special path characters like `../`) in its `mobile_save_screenshot` and `mobile_start_screen_recording` tools. The `saveTo` and `output` parameters are passed directly to file-writing functions without checking if the paths are valid, allowing an attacker to write files anywhere on the system.

The Azure Data Explorer MCP Server (adx-mcp-server) has KQL injection vulnerabilities (a type of code injection where untrusted input is inserted into database queries) in three tools that inspect database tables. Because the `table_name` parameter is directly inserted into Kusto queries (Azure's query language) using f-strings without checking or cleaning the input, an attacker or a prompt-injected AI agent can execute arbitrary database commands, including reading sensitive data or deleting tables.

Large data centers that power AI systems require massive amounts of electricity and resources, creating conflicts with communities, power grids, and the environment worldwide. Tech companies are expanding these facilities rapidly, leading to legal battles, environmental concerns, and pushback from local communities over issues like electricity costs, water usage, and pollution.

n8n, a workflow automation tool, has an XSS vulnerability (cross-site scripting, where malicious code runs in a user's browser) in its credential management system. An authenticated user could hide JavaScript in an OAuth2 credential's Authorization URL field, and if another user clicks the OAuth authorization button, that malicious script executes in their browser session.

n8n versions before 1.123.27, 2.13.3, and 2.14.1 have a stored XSS (cross-site scripting, where attackers inject malicious code that runs when others visit a page) vulnerability in the Chat Trigger node's Custom CSS field. An authenticated user could bypass the sanitize-html library (a tool meant to remove dangerous code) and inject malicious JavaScript that would affect anyone visiting the public chat page.

n8n (a workflow automation tool) has a security flaw where authenticated users can inject malicious code or redirect users through unsanitized form fields, potentially enabling phishing attacks. The vulnerability affects the Form Node feature and requires authentication to exploit.

n8n, a workflow automation platform, has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs when users visit a page) in its Form Trigger node that allows authenticated users to inject harmful scripts into forms. These scripts execute every time someone visits the published form, potentially hijacking form submissions or conducting phishing attacks, though the platform's Content Security Policy (a browser security feature that restricts what scripts can do) prevents direct theft of session cookies.