CVE-2024-21513

Name of the Vulnerable Software and Affected Versions langchain-experimental versions 0.0.15 through 0.0.21

Description The issue allows for Arbitrary Code Execution when retrieving values from the database. An attacker can exploit this by controlling the input prompt and executing arbitrary python code if the server is configured with VectorSQLDatabaseChain. This affects the confidentiality, integrity, and availability of the vulnerable component and the subsequent system. The attacker needs to influence the input prompt to exploit the issue.

Recommendations For versions 0.0.15 through 0.0.21, consider disabling the eval function or restricting access to the VectorSQLDatabaseChain plugin as a temporary workaround until a patch is available. Restricting the input prompt to prevent unauthorized control can also help minimize the risk of exploitation.