Langchain
by Langchain AI
Source repositories
CVEs (32)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-0243 | 0.00 | — | 0.01 | Feb 24, 2024 | With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader( url=url, max_depth=2, extractor=lambda x: Soup(x, "html.parser").text ) docs = loader.load() ``` An attacker in control of… | |||
| CVE-2023-32786 | 0.00 | — | 0.01 | Oct 20, 2023 | In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks. | |||
| CVE-2023-46229 | 0.00 | — | 0.45 | Oct 19, 2023 | LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server. | |||
| CVE-2023-36281 | 0.00 | — | 0.03 | Aug 22, 2023 | An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to __subclasses__ or a template. | |||
| CVE-2023-38860 | 0.00 | — | 0.01 | Aug 15, 2023 | An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter. | |||
| CVE-2023-39659 | 0.00 | — | 0.01 | Aug 15, 2023 | An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component. | |||
| CVE-2023-36189 | 0.00 | — | 0.01 | Jul 6, 2023 | SQL injection vulnerability in langchain before v0.0.247 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component. | |||
| CVE-2023-36188 | 0.00 | — | 0.02 | Jul 6, 2023 | An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method. | |||
| CVE-2023-36258 | 0.00 | — | 0.01 | Jul 3, 2023 | An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used. | |||
| CVE-2023-34541 | 0.00 | — | 0.01 | Jun 20, 2023 | Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt. | |||
| CVE-2023-34540 | 0.00 | — | 0.02 | Jun 14, 2023 | Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper (aka the JIRA API wrapper). This vulnerability allows attackers to execute arbitrary code via crafted input. As noted in the "releases/tag" reference,… | |||
| CVE-2023-29374 | 0.00 | — | 0.40 | Apr 5, 2023 | In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method. |
- CVE-2024-0243Feb 24, 2024risk 0.00cvss —epss 0.01
With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader( url=url, max_depth=2, extractor=lambda x: Soup(x, "html.parser").text ) docs = loader.load() ``` An attacker in control of…
- CVE-2023-32786Oct 20, 2023risk 0.00cvss —epss 0.01
In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.
- CVE-2023-46229Oct 19, 2023risk 0.00cvss —epss 0.45
LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.
- CVE-2023-36281Aug 22, 2023risk 0.00cvss —epss 0.03
An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to __subclasses__ or a template.
- CVE-2023-38860Aug 15, 2023risk 0.00cvss —epss 0.01
An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.
- CVE-2023-39659Aug 15, 2023risk 0.00cvss —epss 0.01
An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.
- CVE-2023-36189Jul 6, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in langchain before v0.0.247 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.
- CVE-2023-36188Jul 6, 2023risk 0.00cvss —epss 0.02
An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.
- CVE-2023-36258Jul 3, 2023risk 0.00cvss —epss 0.01
An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used.
- CVE-2023-34541Jun 20, 2023risk 0.00cvss —epss 0.01
Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt.
- CVE-2023-34540Jun 14, 2023risk 0.00cvss —epss 0.02
Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper (aka the JIRA API wrapper). This vulnerability allows attackers to execute arbitrary code via crafted input. As noted in the "releases/tag" reference,…
- CVE-2023-29374Apr 5, 2023risk 0.00cvss —epss 0.40
In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.
Page 2 of 2