PT-2023-25499 · Langchain · Langchain
Lyutoon
·
Published
2023-07-03
·
Updated
2025-04-14
·
CVE-2023-36258
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LangChain versions prior to 0.0.236
Description
The issue allows an attacker to execute arbitrary code because Python code with
os.system, exec, or eval can be used. This is possible via the PALChain in the python exec method.Recommendations
For versions prior to 0.0.236, update to version 0.0.236 or later to resolve the issue. As a temporary workaround, consider disabling the use of
exec method in the PALChain until a patch is available. Restrict access to the os.system, exec, and eval functions to minimize the risk of exploitation.Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Langchain