Critical severityNVD Advisory· Published Sep 1, 2023· Updated Oct 1, 2024
CVE-2023-39631
CVE-2023-39631
Description
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langchainPyPI | < 0.0.308 | 0.0.308 |
numexprPyPI | < 2.8.5 | 2.8.5 |
Affected products
3- LanChain-ai/Langchaindescription
- ghsa-coords2 versions
< 0.0.308+ 1 more
- (no CPE)range: < 0.0.308
- (no CPE)range: < 2.8.5
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-f73w-4m7g-ch9xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-39631ghsaADVISORY
- github.com/langchain-ai/langchain/issues/8363ghsaWEB
- github.com/langchain-ai/langchain/pull/11302ghsaWEB
- github.com/langchain-ai/langchain/releases/tag/v0.0.308ghsaWEB
- github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7ghsaWEB
- github.com/pydata/numexpr/issues/442ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yamlghsaWEB
News mentions
0No linked articles in our index yet.