Critical severityNVD Advisory· Published Sep 19, 2024· Updated Sep 19, 2024
CVE-2024-46946
CVE-2024-46946
Description
langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langchain-experimentalPyPI | >= 0.1.17, <= 0.3.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-p2qj-r53j-h3xjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-46946ghsaADVISORY
- docs.sympy.org/latest/modules/codegen.htmlghsaWEB
- gist.github.com/12end/68c0c58d2564ef4141bccd4651480820ghsaWEB
- github.com/langchain-ai/langchain/releases/tag/langchain-experimental%3D%3D0.3.0ghsaWEB
- cwe.mitre.org/data/definitions/95.htmlmitre
News mentions
0No linked articles in our index yet.