{"data":{"id":"cfc91b7a-e2ad-4bbb-b0cf-3e892ec2be36","title":"CVE-2024-46946: langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbit","summary":"LangChain Experimental versions 0.1.17 through 0.3.0 contain a vulnerability that allows attackers to execute arbitrary code (run malicious commands on a system) through a component called LLMSymbolicMathChain, which uses sympy.sympify (a function that evaluates mathematical expressions in an unsafe way). The root cause is improper input validation (failing to check that user input is safe before processing it).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-46946","publishedAt":"2024-09-19T09:15:11.857Z","cveId":"CVE-2024-46946","cweIds":["CWE-20"],"cvssScore":"9.8","cvssSeverity":"critical","severity":"critical","attackType":[],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain","langchain_experimental"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0062,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}