CVE-2023-39631: Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library
(updated )
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.
Patches: Released in v.0.0.308. numexpr dependency is optional for langchain.
References
- github.com/advisories/GHSA-f73w-4m7g-ch9x
- github.com/langchain-ai/langchain
- github.com/langchain-ai/langchain/issues/8363
- github.com/langchain-ai/langchain/pull/11302
- github.com/langchain-ai/langchain/releases/tag/v0.0.308
- github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7
- github.com/pydata/numexpr/issues/442
- github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml
- github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-39631
Code Behaviors & Features
Detect and mitigate CVE-2023-39631 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →