Cradicle Explorer
ai-agents-security_AI-Infra-Guard
/ data / vuln_en / langchain / CVE-2024-46946.yaml
CVE-2024-46946.yaml
 1  info:
 2    name: langchain
 3    cve: CVE-2024-46946
 4    summary: LangChain Experimental Eval Injection vulnerability
 5    details: |
 6      langchain_experimental (aka LangChain Experimental) versions 0.1.17 through 0.3.0 allow attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in commit fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 on 2023-10-05.
 7    cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 8    severity: CRITICAL
 9    security_advise: |
10      1. Upgrade to langchain-experimental >= 0.3.1
11      2. Review and patch the use of sympy.sympify to avoid code execution
12      3. Monitor for any further updates or patches from the maintainers
13  rule: version >= "0.1.17" && version <= "0.3.0"
14  references:
15    - https://nvd.nist.gov/vuln/detail/CVE-2024-46946
16    - https://docs.sympy.org/latest/modules/codegen.html
17    - https://gist.github.com/12end/68c0c58d2564ef4141bccd4651480820#file-cve-2024-46946-txt
18    - https://github.com/langchain-ai/langchain
19    - https://github.com/langchain-ai/langchain/releases/tag/langchain-experimental%3D%3D0.3.0