Lucene search

GitHub Advisory DatabaseGHSA-F73W-4M7G-CH9X

HistorySep 01, 2023 - 6:30 p.m.

Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library

2023-09-0118:30:41

CWE-94

GitHub Advisory Database

github.com

langchain

arbitrary code execution

numexpr

vulnerability

remote attacker

patch

optional dependency

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.011

Percentile

84.6%

JSON

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.

Patches: Released in v.0.0.308. numexpr dependency is optional for langchain.

Affected configurations

Vulners

Node

langchainlangchainRange<0.0.308

VendorProductVersionCPE
langchainlangchain*cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
langchain	langchain	*	cpe:2.3:a:langchain:langchain::::::::

References

github.com/advisories/GHSA-f73w-4m7g-ch9x

github.com/langchain-ai/langchain/issues/8363

github.com/langchain-ai/langchain/pull/11302

github.com/langchain-ai/langchain/releases/tag/v0.0.308

github.com/pydata/numexpr/issues/442

github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml

github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml

nvd.nist.gov/vuln/detail/CVE-2023-39631

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.011

Percentile

84.6%

JSON

Related for GHSA-F73W-4M7G-CH9X