PyPI: langchain-experimental
CVE-2024-27444
Safety vulnerability ID: SFTY-20240226-19020
Safety legacy ID: pyup.io-68479
Langchain-experimental (aka LangChain Experimental) allows attackers to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.
Overview
LangChain Experimental vulnerable to arbitrary code execution
Advisory
Langchain-experimental (aka LangChain Experimental) allows attackers to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240226-19020/CVE-2024-27444
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27444
- https://github.com/advisories/GHSA-v8vj-cv27-hjv8
- https://inspector.pypi.io/project/langchain-experimental/0.0.52/packages/3c/6d/8d46508fd8b9935a29e31158908608ae68afef4a97af025965bb476a593f/langchain_experimental-0.0.52.tar.gz/langchain_experimental-0.0.52/langchain_experimental/pal_chain/base.py#line.24
- https://nvd.nist.gov/vuln/detail/CVE-2024-27444
- https://github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7
- https://github.com/advisories/GHSA-v8vj-cv27-hjv8
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more