PyPI: langchain-experimental
CVE-2023-44467
Safety vulnerability ID: SFTY-20231009-72117
Safety legacy ID: pyup.io-61692
Langchain_experimental allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via the PALChain in the python exec method.
Overview
langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method
Advisory
Langchain_experimental allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via the PALChain in the python exec method.
How to Fix
Upgrade
langchain-experimental
to0.0.24
or higher.Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20231009-72117/CVE-2023-44467
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44467
- https://github.com/langchain-ai/langchain/commit/4c97a10bd0d9385cfee234a63b5bd826a295e483
- https://inspector.pypi.io/project/langchain-experimental/0.0.24/packages/9b/3f/73dab2ac5aaea08f2eff5478c59b12a7e298a108c5b7d5dc1c4547eacb80/langchain_experimental-0.0.24.tar.gz/langchain_experimental-0.0.24/langchain_experimental/pal_chain/base.py#line.23
- https://nvd.nist.gov/vuln/detail/CVE-2023-44467
- https://github.com/langchain-ai/langchain/commit/4c97a10bd0d9385cfee234a63b5bd826a295e483
- https://github.com/langchain-ai/langchain/pull/11233
- https://github.com/pypa/advisory-database/tree/main/vulns/langchain-experimental/PYSEC-2023-194.yaml
- https://pypi.org/project/langchain-experimental/0.0.14
- https://github.com/advisories/GHSA-gjjr-63x4-v8cq
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more