CVE-2024-46946: LangChain Experimental Eval Injection vulnerability

September 19, 2024

langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).

References

docs.sympy.org/latest/modules/codegen.html
gist.github.com/12end/68c0c58d2564ef4141bccd4651480820
github.com/advisories/GHSA-p2qj-r53j-h3xj
github.com/langchain-ai/langchain
github.com/langchain-ai/langchain/releases/tag/langchain-experimental%3D%3D0.3.0
nvd.nist.gov/vuln/detail/CVE-2024-46946

Code Behaviors & Features

Detect and mitigate CVE-2024-46946 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →