The Zafran researchers found that this tradition ingredient provides attackers management over all its properties, as a result of it doesn’t validate the fields. For instance, if attackers ship a customized ingredient with the trail property set to any file on the server, the file can be returned to the consumer session.
Due to this, the flaw permits attackers to learn any arbitrary file from the server, loads of which might embody delicate info. For instance, the /proc/self/environ file is used to retailer atmosphere variables, and these can comprise API keys, credentials, inside file paths, database paths, tokens for AWS and different cloud providers, and even CHAINLIT_AUTH_SECRET, a secret that’s used to signal authentication tokens when authentication is enabled.
On high of that, if LangChain is used because the orchestration layer behind Chainlit and caching is enabled, consumer prompts despatched to the LLM and the corresponding responses are saved to a file known as .chainlit/.langchain.db. This file shops prompts throughout customers and tenants, so attackers might exfiltrate it periodically to acquire delicate info. Zafran’s proof-of-concept exploit concerned leaking this file.
