CVE-2024-27444

Name of the Vulnerable Software and Affected Versions LangChain versions prior to 0.1.8 langchain experimental versions prior to 0.0.52

Description The issue allows an attacker to bypass a previous fix and execute arbitrary code via certain attributes in Python code, including import, subclasses, builtins, globals, getattribute, bases, mro, or base. These attributes are not prohibited by pal chain/base.py.

Recommendations For LangChain versions prior to 0.1.8, update to version 0.1.8 or later. For langchain experimental versions prior to 0.0.52, update to version 0.0.52 or later. As a temporary workaround, consider restricting the use of the import, subclasses, builtins, globals, getattribute, bases, mro, or base attributes in Python code until a patch is applied.