PT-2023-25427 · Harrison Chase · Langchain
Lyutoo
·
Published
2023-08-05
·
Updated
2023-08-14
·
CVE-2023-36095
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Harrison Chase langchain version 0.0.194
Description
The issue allows an attacker to execute arbitrary code via the python exec calls in the PALChain. Affected functions include
from math prompt and from colored object prompt, specifically when using from math prompt(llm).run in the python exec method.Recommendations
For version 0.0.194, consider disabling the
from math prompt and from colored object prompt functions until a patch is available to prevent arbitrary code execution.
Restrict access to the PALChain to minimize the risk of exploitation.
Avoid using the exec method in the python code for the affected functions until the issue is resolved.Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Langchain