AI Threat Alert AI Threat Alert

CVE-2023-34540: LangChain: RCE via JiraAPIWrapper crafted input

CRITICAL PoC AVAILABLE
Published June 14, 2023
CISO Take

Any LangChain deployment using the JiraAPIWrapper tool is critically exposed to unauthenticated remote code execution — no privileges or user interaction required. Upgrade to v0.0.225 immediately; if patching is delayed, disable or remove the JiraAPIWrapper tool from all agent configurations. This affects production AI agent systems that integrate with Jira, a common enterprise pattern.

Risk Assessment

Critical risk. CVSS 9.8 with network-accessible attack vector, zero authentication, and zero user interaction means this is trivially weaponizable by any attacker who can reach the application. LangChain was the dominant LLM orchestration framework at time of disclosure, meaning blast radius across the AI/ML ecosystem was extremely high. Applications exposing LangChain agents with Jira integration to the internet — or even internal networks — are fully compromised if unpatched. The absence of a CWE listing and the high EPSS implication from CVSS score suggest broad, low-barrier exploitation.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langchain pip No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
1.9%
chance of exploitation in 30 days
Higher than 83% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

7 steps

  1. IMMEDIATE

    Upgrade LangChain to v0.0.225 or later (fix confirmed in release).

  2. SHORT-TERM: Audit all agent tool configurations — remove JiraAPIWrapper from any agent not strictly requiring it.

  3. Apply input validation and sanitization at the application boundary before any data reaches agent tools.

  4. Enforce least-privilege on accounts used by JiraAPIWrapper (read-only Jira tokens where possible).

  5. DETECTION

    Review server logs for anomalous subprocess spawning, outbound connections from the LangChain process, or unexpected file writes.

  6. Rotate all API keys and secrets accessible from the LangChain runtime environment post-incident.

  7. Implement network egress controls on AI agent hosts to limit post-exploitation lateral movement.

Classification

Code Execution Supply Chain Data Extraction Framework Agent Plugin AML.T0010.001 AML.T0025 AML.T0049 AML.T0050 AML.T0053 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System
ISO 42001
6.1.2 - AI Risk Assessment 8.4 - AI System Operation
NIST AI RMF
GOVERN 6.1 - Policies for Third-Party AI Components MANAGE 2.2 - Risk Treatment and Mitigation
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2023-34540?

Any LangChain deployment using the JiraAPIWrapper tool is critically exposed to unauthenticated remote code execution — no privileges or user interaction required. Upgrade to v0.0.225 immediately; if patching is delayed, disable or remove the JiraAPIWrapper tool from all agent configurations. This affects production AI agent systems that integrate with Jira, a common enterprise pattern.

Is CVE-2023-34540 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-34540, increasing the risk of exploitation.

How to fix CVE-2023-34540?

1. IMMEDIATE: Upgrade LangChain to v0.0.225 or later (fix confirmed in release). 2. SHORT-TERM: Audit all agent tool configurations — remove JiraAPIWrapper from any agent not strictly requiring it. 3. Apply input validation and sanitization at the application boundary before any data reaches agent tools. 4. Enforce least-privilege on accounts used by JiraAPIWrapper (read-only Jira tokens where possible). 5. DETECTION: Review server logs for anomalous subprocess spawning, outbound connections from the LangChain process, or unexpected file writes. 6. Rotate all API keys and secrets accessible from the LangChain runtime environment post-incident. 7. Implement network egress controls on AI agent hosts to limit post-exploitation lateral movement.

What systems are affected by CVE-2023-34540?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application backends, enterprise tool integrations, RAG pipelines with external data connectors, internal copilots with project management integrations.

What is the CVSS score for CVE-2023-34540?

CVE-2023-34540 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.87%.

Technical Details

NVD Description

Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper (aka the JIRA API wrapper). This vulnerability allows attackers to execute arbitrary code via crafted input. As noted in the "releases/tag" reference, a fix is available.

Exploitation Scenario

An adversary identifies a public-facing enterprise chatbot or internal IT assistant powered by LangChain with JiraAPIWrapper enabled (discoverable via response headers, job postings, or GitHub repos). The attacker submits a crafted natural language query or direct API request containing a malicious payload that exploits unsafe input handling in JiraAPIWrapper — likely triggering eval() or subprocess execution with attacker-controlled arguments. This yields a reverse shell on the application server. From there, the attacker harvests environment variables (LLM API keys, database credentials, Stripe keys), exfiltrates the vector database or RAG corpus containing proprietary data, and pivots to connected Jira/Confluence instances using the agent's stored OAuth tokens. The entire attack requires no authentication and produces no alerts in standard SIEM rules not tuned for AI application anomalies.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 14, 2023
Last Modified
November 21, 2024
First Seen
June 14, 2023

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-36188 9.8

LangChain: RCE via PALChain unsanitized Python exec

Same package: langchain
Back to Threat Feed