cbcvebase.

Langchain Langchain-Experimental vulnerabilities

5 known vulnerabilities affecting langchain/langchain-experimental.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH2

Vulnerabilities

Page 1 of 1
CVE-2023-44467P2CRITICALCVSS 9.8Exploited≥ 0, ≤ 0.0.142023-10-09
CVE-2023-44467 [CRITICAL] langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via __import__ in Python code, which is not prohibited by pal_chain/base.py.
ghsaosv
CVE-2024-46946P2CRITICALCVSS 9.8≥ 0.1.17, ≤ 0.3.02024-09-19
CVE-2024-46946 [CRITICAL] CWE-20 CVE-2024-46946: langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attack langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).
ghsanvdosv
CVE-2024-21513P2HIGHCVSS 8.5≥ 0.0.15, < 0.0.212024-07-15
CVE-2024-21513 [HIGH] CWE-94 CVE-2024-21513: Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbit Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configur
ghsanvdosv
CVE-2024-27444P3CRITICALCVSS 9.8fixed in 0.1.82024-02-26
CVE-2024-27444 [CRITICAL] CWE-749 CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.
ghsanvdosv
CVE-2024-38459P4HIGHCVSS 7.8fixed in 0.0.612024-06-16
CVE-2024-38459 [HIGH] CVE-2024-38459: langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444.
ghsanvdosv
Langchain Langchain-Experimental vulnerabilities | cvebase