CVE-2023-36258: langchain arbitrary code execution vulnerability

July 3, 2023 (updated September 27, 2024)

An issue in langchain allows an attacker to execute arbitrary code via the PALChain in the python exec method.

References

github.com/advisories/GHSA-2qmj-7962-cjq8
github.com/hwchase17/langchain
github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137
github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e
github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751
github.com/langchain-ai/langchain/issues/5872
github.com/langchain-ai/langchain/issues/5872
github.com/langchain-ai/langchain/pull/6003
github.com/langchain-ai/langchain/pull/7870
github.com/langchain-ai/langchain/pull/8425
github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml
nvd.nist.gov/vuln/detail/CVE-2023-36258

Detect and mitigate CVE-2023-36258 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →