Cyber Resilience

CVE-2024-46946

CriticalPublic PoC

Published: 19 September 2024

Published
19 September 2024
Modified
16 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 71.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46946 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Langchain Langchain-Experimental. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked in the top 28.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: Indirect (AML.T0051.001).

EU & UK References

Vulnerability details

langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
LangChain (langchain_experimental) is a framework for building LLM-powered applications, agents, and chains, with LLMSymbolicMathChain being an experimental tool integrating LLMs with symbolic math processing.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The RCE vulnerability in LangChain's SymbolicMathChain allows arbitrary Python code execution via unsafe sympy.sympify(eval), enabling adversaries to abuse the Python interpreter (T1059.006) and exploit public-facing applications using the library (T1190).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0051.001: Indirect

Affected Assets

langchain
langchain-experimental
0.1.17 — 0.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References