CVE-2024-21513: Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution
Summary
Versions 0.0.15 through 0.0.20 of langchain-experimental contain a vulnerability where the code uses 'eval' (a function that runs Python code from text) on database values, allowing attackers to execute arbitrary code if they can control the input prompt and the server uses VectorSQLDatabaseChain (a component that connects language models to SQL databases). An attacker with low privileges could exploit this to break out of the application and access files or make unauthorized network connections.
Solution / Mitigation
Update langchain-experimental to version 0.0.21 or later.
Vulnerability Details
8.5(high)
EPSS: 10.2%
Classification
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-21513
First tracked: February 15, 2026 at 08:35 PM
Classified by LLM (prompt v3) · confidence: 95%