CVE-2024-46946

Name of the Vulnerable Software and Affected Versions langchain experimental versions 0.1.17 through 0.3.0

Description The issue allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in a specific commit on October 5, 2023.

Recommendations For versions 0.1.17 through 0.3.0, consider disabling the sympy.sympify function until a patch is available to prevent arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.