GoogleOSV:GHSA-F73W-4M7G-CH9XLangchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
84.6%
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.
Patches: Released in v.0.0.308. numexpr dependency is optional for langchain.
References
github.com/langchain-ai/langchain
github.com/langchain-ai/langchain/issues/8363
github.com/langchain-ai/langchain/pull/11302
github.com/langchain-ai/langchain/releases/tag/v0.0.308
github.com/pydata/numexpr/issues/442
github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml
github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml
nvd.nist.gov/vuln/detail/CVE-2023-39631
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
84.6%