CVE-2024-38459

HIGH

langchain_experimental <0.0.61 - RCE

Title source: llm

Description

langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444.

References (3)

Core 3

Core References

Patch

https://github.com/langchain-ai/langchain/commit/ce0b0f22a175139df8f41cdcfb4d2af411112009

View Patch ZIP pw:eip

Product

https://github.com/langchain-ai/langchain/compare/langchain-experimental==0.0.60...langchain-experimental==0.0.61

Issue Tracking

https://github.com/langchain-ai/langchain/pull/22860

Scores

CVSS v3 7.8

EPSS 0.0008

EPSS Percentile 23.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-276

Status published

Products (2)

langchain/langchain-experimental < 0.0.61

pypi/langchain-experimental 0 - 0.0.61PyPI

Published Jun 16, 2024

Tracked Since Feb 18, 2026