CVE-2024-27444

Published: Feb 26, 2024Modified: Jul 14, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.

Affected (1)

Products: Langchain: Langchain Experimental

1 product

Langchain Experimental

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Langchain Langchain Experimental	Before 0.1.8

Related CWEs

Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

References (2)

https://github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7

Source: cve@mitre.org

Patch

https://github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.