CRITICAL 9.8 PyPI
Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library
GHSA-f73w-4m7g-ch9x · CVE-2023-39631 · PYSEC-2023-162 · PYSEC-2023-163
Published · Modified
Description
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.
Patches: Released in v.0.0.308. numexpr dependency is optional for langchain.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-39631
- WEB https://github.com/langchain-ai/langchain/issues/8363
- WEB https://github.com/pydata/numexpr/issues/442
- WEB https://github.com/langchain-ai/langchain/pull/11302
- WEB https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7
- PACKAGE https://github.com/langchain-ai/langchain
- WEB https://github.com/langchain-ai/langchain/releases/tag/v0.0.308
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml
Ready to move
Start Securing
Free, no credit card | First findings in minutes