CVE-2023-39631

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions LangChain versions 0.0.245 through 0.0.307

Description The issue is related to incorrect code generation control in the numexpr library of the LangChain framework, allowing a remote attacker to execute arbitrary code via the evaluate function. This can lead to exploitation by a remote attacker.

Recommendations For versions 0.0.245 through 0.0.307, update to version 0.0.308 or later, which includes a patch for the numexpr dependency issue. As a temporary workaround, consider disabling the evaluate function in the numexpr library until a patch is applied.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

BDU:2025-01410

CVE-2023-39631

GHSA-F73W-4M7G-CH9X

PYSEC-2023-162

PYSEC-2023-163

Affected Products

Langchain

Red Os

Numexpr

CVE-2023-39631

Weakness Enumeration

Related Identifiers

Affected Products

References · 20