GoogleOSV:GHSA-92J5-3459-QGP4LangChain vulnerable to arbitrary code execution
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.5%
An issue in Harrison Chase langchain before version 0.0.236 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions.
References
github.com/hwchase17/langchain/issues/5872
github.com/hwchase17/langchain/pull/6003
github.com/langchain-ai/langchain
github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137
github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e
github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-146.yaml
nvd.nist.gov/vuln/detail/CVE-2023-38896
twitter.com/llm_sec/status/1668711587287375876
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.5%