Fluid Attacks Database

Description

langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via import in Python code, which is not prohibited by pal_chain/base.py.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	langchain-experimental	>=0 <=0.0.14	0.0.15

Aliases

1. CVE-2023-444672. NVD-2023-444673. OSV-2023-444674. GCVE-2023-44467

References

1. https://github.com/langchain-ai/langchain/pull/112332. https://github.com/langchain-ai/langchain/commit/4c97a10bd0d9385cfee234a63b5bd826a295e4833. https://github.com/pypa/advisory-database/tree/main/vulns/langchain-experimental/PYSEC-2023-194.yaml4. https://pypi.org/project/langchain-experimental/0.0.145. https://vulncheck.com/cve/CVE-2023-44467

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.