Cyber Resilience

CVE-2024-21513

HighRCE

Published: 15 July 2024

Published
15 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1339 94.3th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21513 is a high-severity Code Injection (CWE-94) vulnerability in Langchain Langchain-Experimental. Its CVSS base score is 8.5 (High).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers.

Deeper analysis

Versions of the langchain-experimental package from 0.0.15 through 0.0.20 contain an arbitrary code execution flaw in the VectorSQLDatabaseChain component. When values are retrieved from a database the code invokes Python eval on every result without sanitization, allowing execution of attacker-supplied expressions inside the langchain-experimental process.

An attacker who can control the input prompt and who has low-privileged access to a server configured with VectorSQLDatabaseChain can supply a malicious prompt that triggers evaluation of arbitrary Python code. Successful exploitation yields code execution with the privileges of the langchain process, affecting confidentiality and integrity of both the component and the underlying operating system during post-exploitation.

The referenced commit 7b13292e3544b2f5f2bfb8a27a062ea2b0c34561 removes the unsafe eval calls; users should upgrade to langchain-experimental 0.0.21 or later. The Snyk advisory SNYK-PYTHON-LANGCHAINEXPERIMENTAL-7278171 likewise recommends the patched release and notes that the attack requires the VectorSQLDatabaseChain configuration.

EPSS for the CVE rose from a low baseline to a peak of 0.1665 (current value 0.1339), indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute…

more

arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain. **Notes:** Impact on the Confidentiality, Integrity and Availability of the vulnerable component: Confidentiality: Code execution happens within the impacted component, in this case langchain-experimental, so all resources are necessarily accessible. Integrity: There is nothing protected by the impacted component inherently. Although anything returned from the component counts as 'information' for which the trustworthiness can be compromised. Availability: The loss of availability isn't caused by the attack itself, but it happens as a result during the attacker's post-exploitation steps. Impact on the Confidentiality, Integrity and Availability of the subsequent system: As a legitimate low-privileged user of the package (PR:L) the attacker does not have more access to data owned by the package as a result of this vulnerability than they did with normal usage (e.g. can query the DB). The unintended action that one can perform by breaking out of the app environment and exfiltrating files, making remote connections etc. happens during the post exploitation phase in the subsequent system - in this case, the OS. AT:P: An attacker needs to be able to influence the input prompt, whilst the server is configured with the VectorSQLDatabaseChain plugin.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langchain, langchain

Related Threats

Affected Assets

langchain
langchain-experimental
0.0.15 — 0.0.21

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References