1  info:
 2    name: langchain
 3    cve: CVE-2023-36281
 4    summary: langchain vulnerable to arbitrary code execution
 5    details: |
 6      An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the `load_prompt` parameter by submitting a specially crafted JSON file. This vulnerability is related to the misuse of `__subclasses__` or a template.
 7    cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 8    severity: CRITICAL
 9    security_advise: |
10      1. Upgrade to langchain >= 0.0.312 immediately.
11      2. Review and update your application's input validation to prevent the exploitation of similar vulnerabilities.
12      3. Monitor for any further security advisories related to langchain and apply updates promptly.
13  rule: version >= "0" && version < "0.0.312"
14  references:
15    - https://nvd.nist.gov/vuln/detail/CVE-2023-36281
16    - https://github.com/hwchase17/langchain/issues/4394
17    - https://github.com/langchain-ai/langchain/pull/10252
18    - https://github.com/langchain-ai/langchain/commit/22abeb9f6cc555591bf8e92b5e328e43aa07ff6c
19    - https://aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55
20    - https://github.com/langchain-ai/langchain
21    - https://github.com/langchain-ai/langchain/releases/tag/v0.0.312
22    - https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-151.yaml