Vulnerability DatabaseCVE-2023-36095

CVE-2023-36095:
LangChain vulnerability analysis and mitigation

Overview

An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include frommathprompt and fromcoloredobject_prompt (NVD, CVE).

Technical details

The vulnerability exists in the PALChain component of langchain v.0.0.194, specifically in the python exec method. The affected functions include frommathprompt and fromcoloredobject_prompt. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with network access vector, low attack complexity, and no privileges or user interaction required (NVD).

Impact

The vulnerability allows attackers to execute arbitrary code on the affected system. This could lead to complete system compromise, as the attacker can execute any Python commands through the PALChain component (NVD).

Mitigation and workarounds

Users should upgrade from the affected version (v.0.0.194) to a patched version of langchain. Additionally, it is recommended to implement input sanitization and validation to check for sensitive code before execution (GitHub Issue).

Additional resources

Source: This report was generated using AI

Related LangChain vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2024-8309	CRITICAL	9.8	Python	langchain	No	Yes	Oct 29, 2024
CVE-2024-7042	CRITICAL	9.8	JavaScript	langchain	No	Yes	Oct 29, 2024
CVE-2024-7774	CRITICAL	9.1	JavaScript	langchain	No	Yes	Oct 29, 2024
CVE-2024-5998	HIGH	7.8	Python	langchain	No	Yes	Sep 17, 2024
CVE-2024-3095	HIGH	7.7	Python	langchain	No	Yes	Jun 06, 2024