EUVD-2024-0087

Malicious code in bioql PyPI...

VulnCheck KEV: CVE-2023-44467

langchainexperimental aka LangChain Experimental in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via import in Python code, which is not prohibited by palchain/base.py...

CVE-2024-38459

langchainexperimental aka LangChain Experimental before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444...

Exploit for Code Injection in Langchain Langchain-Experimental

CVE-2024-21513 PoC for CVE-2024-21513 Original exploit documen...

CVE-2024-21513

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if the...

Eval Injection

LangChain Experimental is vulnerable to Eval Injection. The vulnerability is due to the use of sympy.sympify which relies on eval in the LLMSymbolicMathChain, allowing attackers to execute arbitrary code in versions 0.1.17 through 0.3.0...

LangChain Experimental Eval Injection vulnerability

langchainexperimental aka LangChain Experimental 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify which uses eval in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 2023-10-05...

CVE-2024-46946

langchainexperimental aka LangChain Experimental 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify which uses eval in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 2023-10-05...

LangChain Experimental Python Library <= 0.0.14 (CVE-2023-44467)

LangChain is a framework for developing applications powered by large language models. langchainexperimental aka LangChain Experimental in LangChain = 0.0.14 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via import in Python code, which is not prohibited by...

Code Injection

langchain-experimental is vulnerable to Code Injection. The vulnerability is due to the use of 'eval' on all retrieved values from the database when the server is configured with VectorSQLDatabaseChain...

GHSA-CGCG-P68Q-3W7V langchain-experimental vulnerable to Arbitrary Code Execution

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if the...

kube-copilot (>=0.1.21 <=0.1.22), langcorn (>=0.0.14 <=0.0.18) +1 more potentially affected by CVE-2024-21513 via langchain-experimental (>=0.0.10 <=0.0.14)

langchain-experimental PYPI version =0.0.10, =0.1.21, =0.0.14, =2.3.0, =4.3.3 Source cves: CVE-2024-21513 Source advisory: OSV:GHSA-CGCG-P68Q-3W7V...

kube-copilot (>=0.1.21 <=0.1.22), langcorn (>=0.0.14 <=0.0.18) +1 more potentially affected by CVE-2024-21513 via langchain-experimental (>=0.0.10 <=0.0.14)

langchain-experimental PYPI version =0.0.10, =0.1.21, =0.0.14, =2.3.0, =4.3.3 Source cves: CVE-2024-21513 Source advisory: OSV:PYSEC-2024-62...

PYSEC-2024-62

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if the...

PYSEC-2024-62

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if the...

CVE-2024-21513

langchain-experimental versions 0.0.15 and earlier than 0.0.21 are vulnerable to Arbitrary Code Execution via eval() on database-retrieved values when using VectorSQLDatabaseChain. The vulnerability requires an attacker to influence the input prompt and can enable Python code execution on the ser...

Arbitrary Code Execution

Overview langchain-experimental is a package that holds experimental LangChain code, intended for research and experimental uses. Affected versions of this package are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all...

apsbot (>=0.2.0 <=0.3.1), askagent (>=0.1.0 <=0.1.1) +36 more potentially affected by CVE-2024-38459 via langchain-experimental (>=0.0.10 <=0.0.60)

langchain-experimental PYPI version =0.0.10, =0.2.0, =0.1.0, =0.0.3, =0.1.1, =0.0.1a1, =0.0.1, =0.1.0, =0.1.4, =0.1.0, =0.1.21, =0.1.27 - lang-wrapper-for-rag =0.0.1 and more Source cves: CVE-2024-38459 Source advisory: OSV:GHSA-WMVM-9VQV-5QPP...

GHSA-WMVM-9VQV-5QPP langchain_experimental Code Execution via Python REPL access

langchainexperimental aka LangChain Experimental before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444...

langchain_experimental Code Execution via Python REPL access

langchainexperimental aka LangChain Experimental before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444...