{"data":{"id":"3ffc9fd5-1aea-4bc8-9073-cd843137eb5f","title":"CVE-2024-21513: Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution ","summary":"Versions 0.0.15 through 0.0.20 of langchain-experimental contain a vulnerability where the code uses 'eval' (a function that runs Python code from text) on database values, allowing attackers to execute arbitrary code if they can control the input prompt and the server uses VectorSQLDatabaseChain (a component that connects language models to SQL databases). An attacker with low privileges could exploit this to break out of the application and access files or make unauthorized network connections.","solution":"Update langchain-experimental to version 0.0.21 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-21513","publishedAt":"2024-07-15T09:15:01.857Z","cveId":"CVE-2024-21513","cweIds":["CWE-94","CWE-94"],"cvssScore":"8.5","cvssSeverity":"high","severity":"high","attackType":[],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["langchain-experimental"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.10171,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-242"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}