Cradicle Explorer
ai-agents-security_AI-Infra-Guard
/ data / vuln_en / langchain / CVE-2024-27444.yaml
CVE-2024-27444.yaml
 1  info:
 2    name: langchain
 3    cve: CVE-2024-27444
 4    summary: LangChain Experimental vulnerable to arbitrary code execution
 5    details: |
 6      langchain_experimental (aka LangChain Experimental) before 0.0.52, part of LangChain before 0.1.8,
 7      allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the 
 8      `__import__`, `__subclasses__`, `__builtins__`, `__globals__`, `__getattribute__`, 
 9      `__bases__`, `__mro__`, or `__base__` attribute in Python code. These are not prohibited by 
10      `pal_chain/base.py`.
11    cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
12    severity: CRITICAL
13    security_advise: |
14      1. Upgrade to langchain-experimental>=0.0.52 and LangChain>=0.1.8
15      2. Review and patch any custom code that may utilize the vulnerable attributes
16      3. Monitor for any suspicious activity post-upgrade
17  rule: version < "0.0.52" || version < "0.1.8"
18  references:
19    - https://nvd.nist.gov/vuln/detail/CVE-2024-27444
20    - https://github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7
21    - https://github.com/langchain-ai/langchain