AI Threat Alert

CVE-2023-34540: LangChain: RCE via JiraAPIWrapper crafted input

CRITICAL PoC AVAILABLE
Published June 14, 2023
CISO Take

Any LangChain deployment using the JiraAPIWrapper tool is critically exposed to unauthenticated remote code execution — no privileges or user interaction required. Upgrade to v0.0.225 immediately; if patching is delayed, disable or remove the JiraAPIWrapper tool from all agent configurations. This affects production AI agent systems that integrate with Jira, a common enterprise pattern.

What is the risk?

Critical risk. CVSS 9.8 with network-accessible attack vector, zero authentication, and zero user interaction means this is trivially weaponizable by any attacker who can reach the application. LangChain was the dominant LLM orchestration framework at time of disclosure, meaning blast radius across the AI/ML ecosystem was extremely high. Applications exposing LangChain agents with Jira integration to the internet — or even internal networks — are fully compromised if unpatched. The absence of a CWE listing and the high EPSS implication from CVSS score suggest broad, low-barrier exploitation.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 3d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.7%
chance of exploitation in 30 days
Higher than 74% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

7 steps

  1. IMMEDIATE

    Upgrade LangChain to v0.0.225 or later (fix confirmed in release).

  2. SHORT-TERM: Audit all agent tool configurations — remove JiraAPIWrapper from any agent not strictly requiring it.

  3. Apply input validation and sanitization at the application boundary before any data reaches agent tools.

  4. Enforce least-privilege on accounts used by JiraAPIWrapper (read-only Jira tokens where possible).

  5. DETECTION

    Review server logs for anomalous subprocess spawning, outbound connections from the LangChain process, or unexpected file writes.

  6. Rotate all API keys and secrets accessible from the LangChain runtime environment post-incident.

  7. Implement network egress controls on AI agent hosts to limit post-exploitation lateral movement.

How is it classified?

Code Execution Supply Chain Data Extraction Framework Agent Plugin AML.T0010.001 AML.T0025 AML.T0049 AML.T0050 AML.T0053 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System
ISO 42001
6.1.2 - AI Risk Assessment 8.4 - AI System Operation
NIST AI RMF
GOVERN 6.1 - Policies for Third-Party AI Components MANAGE 2.2 - Risk Treatment and Mitigation
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2023-34540?

Any LangChain deployment using the JiraAPIWrapper tool is critically exposed to unauthenticated remote code execution — no privileges or user interaction required. Upgrade to v0.0.225 immediately; if patching is delayed, disable or remove the JiraAPIWrapper tool from all agent configurations. This affects production AI agent systems that integrate with Jira, a common enterprise pattern.

Is CVE-2023-34540 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-34540, increasing the risk of exploitation.

How to fix CVE-2023-34540?

1. IMMEDIATE: Upgrade LangChain to v0.0.225 or later (fix confirmed in release). 2. SHORT-TERM: Audit all agent tool configurations — remove JiraAPIWrapper from any agent not strictly requiring it. 3. Apply input validation and sanitization at the application boundary before any data reaches agent tools. 4. Enforce least-privilege on accounts used by JiraAPIWrapper (read-only Jira tokens where possible). 5. DETECTION: Review server logs for anomalous subprocess spawning, outbound connections from the LangChain process, or unexpected file writes. 6. Rotate all API keys and secrets accessible from the LangChain runtime environment post-incident. 7. Implement network egress controls on AI agent hosts to limit post-exploitation lateral movement.

What systems are affected by CVE-2023-34540?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application backends, enterprise tool integrations, RAG pipelines with external data connectors, internal copilots with project management integrations.

What is the CVSS score for CVE-2023-34540?

CVE-2023-34540 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.68%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM application backendsenterprise tool integrationsRAG pipelines with external data connectorsinternal copilots with project management integrations

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper (aka the JIRA API wrapper). This vulnerability allows attackers to execute arbitrary code via crafted input. As noted in the "releases/tag" reference, a fix is available.

Exploitation Scenario

An adversary identifies a public-facing enterprise chatbot or internal IT assistant powered by LangChain with JiraAPIWrapper enabled (discoverable via response headers, job postings, or GitHub repos). The attacker submits a crafted natural language query or direct API request containing a malicious payload that exploits unsafe input handling in JiraAPIWrapper — likely triggering eval() or subprocess execution with attacker-controlled arguments. This yields a reverse shell on the application server. From there, the attacker harvests environment variables (LLM API keys, database credentials, Stripe keys), exfiltrates the vector database or RAG corpus containing proprietary data, and pivots to connected Jira/Confluence instances using the agent's stored OAuth tokens. The entire attack requires no authentication and produces no alerts in standard SIEM rules not tuned for AI application anomalies.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 14, 2023
Last Modified
November 21, 2024
First Seen
June 14, 2023

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-36188 9.8

LangChain: RCE via PALChain unsanitized Python exec

Same package: langchain
Back to Threat Feed