CVE-2023-29374
published 2023-04-05CVE-2023-29374: In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
39.65%
98.4th percentile
In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| langchain | langchain | <= 0.0.131 | — |
| langchain | langchain | >= 0 < 0.0.132 | 0.0.132 |
| langchain | langchain | 0 – 0.0.131 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2023-29374 involves prompt injection attacks against LangChain's LLMMathChain that result in arbitrary code execution via Python's exec method; monitor for unexpected exec() calls originating from LLM chain execution contexts. ↗
- →CVE-2023-29374 is classified as a remote code execution vulnerability achieved through an LLM prompt injection exploit; treat untrusted LLM inputs to LLMMathChain as a potential RCE vector. ↗
- ·Vulnerability affects LangChain versions up to and including 0.0.131; deployments on this version range are exposed to prompt-injection-driven arbitrary code execution via LLMMathChain. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LangChain vulnerable to code injection
ghsa·2023-04-05
CVE-2023-29374 [CRITICAL] CWE-74 LangChain vulnerable to code injection
LangChain vulnerable to code injection
In LangChain through 0.0.131, the `LLMMathChain` chain allows prompt injection attacks that can execute arbitrary code via the Python `exec()` method.
OSV
LangChain vulnerable to code injection
osv·2023-04-05
CVE-2023-29374 [CRITICAL] LangChain vulnerable to code injection
LangChain vulnerable to code injection
In LangChain through 0.0.131, the `LLMMathChain` chain allows prompt injection attacks that can execute arbitrary code via the Python `exec()` method.
OSV
CVE-2023-29374: In LangChain through 0
osv·2023-04-05
CVE-2023-29374 CVE-2023-29374: In LangChain through 0
In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-4367
vendor_chrome·2023-08-25·CVSS 3.6
CVE-2023-4367 [MEDIUM] Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-4367
Stable Channel Update for ChromeOS / ChromeOS Flex
CVE-2023-4367: Insufficient policy enforcement in Extensions API. Reported by Axel Chong on 2023-07-26 [$500][ 1467751 ] Medium CVE-2023-4368: Insufficient policy enforcement in Extensions API
Reported by Axel Chong on 2023-07-26 Android Runtime Container Security Fixes: [NA] [NA] High Fixes CVE-2023-21264 on impacted platforms [NA] [NA] High Fixes CVE-2020-29374 on impacted platforms We would like to thank the security researchers that report vulnerabilities to us via bughunters
Severity: medium
No detection rules found.
No public exploits indexed.
arXiv
Surveying the Operational Cybersecurity and Supply Chain Threat Landscape when Developing and Deploying AI Systems
arxiv_fulltext·2025-08-27
Surveying the Operational Cybersecurity and Supply Chain Threat Landscape when Developing and Deploying AI Systems
## Abstract
The rise of AI has transformed the software and hardware landscape, enabling powerful capabilities through specialized infrastructures, large-scale data storage, and advanced hardware.
However, these innovations introduce unique attack surfaces and objectives which traditional cybersecurity assessments often overlook.
Cyber attackers are shifting their objectives from conventional goals like privilege escalation and network pivoting to manipulating AI outputs to achieve desired system effects, such as slowing system performance, flooding outputs with false positives, or degrading model accuracy.
This paper serves to raise awareness of the novel cyber threats that are introduced when incorporating AI into a software system.
We explore the operational cybersecurity and supply ch
arXiv
Coordinated Flaw Disclosure for AI: Beyond Security Vulnerabilities
arxiv_fulltext·2024-07-26
Coordinated Flaw Disclosure for AI: Beyond Security Vulnerabilities
## Abstract
Harm reporting in Artificial Intelligence (AI) currently lacks a structured process for disclosing and addressing algorithmic flaws, relying largely on an ad-hoc approach. This contrasts sharply with the well-established Coordinated Vulnerability Disclosure (CVD) ecosystem in software security. While global efforts to establish frameworks for AI transparency and collaboration are underway, the unique challenges presented by machine learning (ML) models demand a specialized approach. To address this gap, we propose implementing a Coordinated Flaw Disclosure (CFD) framework tailored to the complexities of ML and AI issues. This paper reviews the evolution of ML disclosure practices, from ad hoc reporting to emerging participatory auditing methods, and compares them with cybersec
https://github.com/hwchase17/langchain/issues/1026https://github.com/hwchase17/langchain/issues/814https://github.com/hwchase17/langchain/pull/1119https://twitter.com/rharang/status/1641899743608463365/photo/1https://github.com/hwchase17/langchain/issues/1026https://github.com/hwchase17/langchain/issues/814https://github.com/hwchase17/langchain/pull/1119https://twitter.com/rharang/status/1641899743608463365/photo/1
2023-04-05
Published