CVE-2024-46946

Published: Sep 19, 2024Modified: Jul 16, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).

Affected (1)

Products: Langchain: Langchain Experimental

1 product

Langchain Experimental

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Langchain Langchain Experimental	From 0.1.17 to 0.3.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

https://cwe.mitre.org/data/definitions/95.html

Source: cve@mitre.org

Not Applicable

https://docs.sympy.org/latest/modules/codegen.html

Source: cve@mitre.org

Technical Description

https://gist.github.com/12end/68c0c58d2564ef4141bccd4651480820#file-cve-2024-46946-txt

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/langchain-ai/langchain/releases/tag/langchain-experimental%3D%3D0.3.0

Source: cve@mitre.org

Release Notes

Timeline

No history available yet.