AI Threat Alert
Published April 5, 2023
In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langchain | pip | <= 0.0.131 | No patch |
| langchain | pip | — | No patch |
Severity & Risk
CVSS 3.1
9.8 / 10
EPSS
4.5%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A
Recommended Action
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/hwchase17/langchain/issues/1026 Issue
- github.com/hwchase17/langchain/issues/814 Exploit Issue Patch
- github.com/hwchase17/langchain/pull/1119 Patch
- twitter.com/rharang/status/1641899743608463365/photo/1 Exploit
- github.com/hwchase17/langchain/issues/1026 Issue
- github.com/hwchase17/langchain/issues/814 Exploit Issue Patch
- github.com/hwchase17/langchain/pull/1119 Patch
- twitter.com/rharang/status/1641899743608463365/photo/1 Exploit
- github.com/advisories/GHSA-fprp-p869-w6q2
- github.com/hwchase17/langchain/issues/1026
- github.com/hwchase17/langchain/issues/814
- github.com/hwchase17/langchain/pull/1119
- github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-18.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-29374
- twitter.com/rharang/status/1641899743608463365/photo/1
Timeline
Published
April 5, 2023
Last Modified
February 12, 2025
First Seen
April 5, 2023