Workflow

PyPi: Langchain

CVE-2024-27444

Safety vulnerability ID: 65703

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 26, 2024 Updated at Dec 10, 2024
Scan your Python projects for vulnerabilities →

Advisory

langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py. See CVE-2024-27444.

Affected package

langchain

Latest version: 0.3.11

Building applications with LLMs through composability

Affected versions

Fixed versions

Vulnerability changelog

langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py. See CVE-2024-27444.


MISC:https://github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7: https://github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application