AI Threat Alert

CVE-2023-39659: LangChain: RCE via unsanitized PythonAstREPL input

CRITICAL PoC AVAILABLE CISA: ATTEND
Published August 15, 2023
CISO Take

Any LangChain deployment using PythonAstREPLTool before v0.0.233 is exposed to unauthenticated remote code execution — full host compromise, zero prerequisites. Patch to v0.0.233+ immediately or remove PythonAstREPLTool from all agent tool configurations. Treat affected hosts as potentially compromised and conduct forensic review of process and network logs.

What is the risk?

Maximum exploitability: CVSS 9.8, network-accessible, no authentication, no user interaction, low complexity. PythonAstREPLTool is a standard LangChain component widely used in production agents to grant LLMs Python execution capability — exposure is broad. Any internet-facing LangChain deployment is a trivial target for automated scanning and drive-by exploitation. No POC sophistication required.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.3%
chance of exploitation in 30 days
Higher than 66% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade LangChain to v0.0.233 or later immediately — no exceptions.

  2. WORKAROUND

    If patching is delayed, remove PythonAstREPLTool from all agent tool registries and deny any agent configuration referencing it.

  3. ISOLATE

    Run LangChain agents in containers with no network egress, read-only filesystems, and dropped Linux capabilities. Never run as root.

  4. DETECT

    Alert on unexpected subprocess spawning, outbound network connections, or file writes from LangChain Python processes. Look for exec/eval patterns in agent input logs.

  5. AUDIT

    Inventory all LangChain versions in production, CI/CD, and dev environments. Confirm no pre-0.0.233 instances remain.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Prompt Injection Framework Agent Plugin AML.T0049 AML.T0050 AML.T0051 AML.T0053 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.5 - AI System Security Controls
NIST AI RMF
MANAGE-2.2 - AI Risk Treatment
OWASP LLM Top 10
LLM01 - Prompt Injection LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2023-39659?

Any LangChain deployment using PythonAstREPLTool before v0.0.233 is exposed to unauthenticated remote code execution — full host compromise, zero prerequisites. Patch to v0.0.233+ immediately or remove PythonAstREPLTool from all agent tool configurations. Treat affected hosts as potentially compromised and conduct forensic review of process and network logs.

Is CVE-2023-39659 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-39659, increasing the risk of exploitation.

How to fix CVE-2023-39659?

1. PATCH: Upgrade LangChain to v0.0.233 or later immediately — no exceptions. 2. WORKAROUND: If patching is delayed, remove PythonAstREPLTool from all agent tool registries and deny any agent configuration referencing it. 3. ISOLATE: Run LangChain agents in containers with no network egress, read-only filesystems, and dropped Linux capabilities. Never run as root. 4. DETECT: Alert on unexpected subprocess spawning, outbound network connections, or file writes from LangChain Python processes. Look for exec/eval patterns in agent input logs. 5. AUDIT: Inventory all LangChain versions in production, CI/CD, and dev environments. Confirm no pre-0.0.233 instances remain.

What systems are affected by CVE-2023-39659?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM-powered code execution tools, RAG pipelines with tool-use, data processing pipelines, AI-powered developer assistants.

What is the CVSS score for CVE-2023-39659?

CVE-2023-39659 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.27%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM-powered code execution toolsRAG pipelines with tool-usedata processing pipelinesAI-powered developer assistants

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0051 LLM Prompt Injection
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM01, LLM07

What are the technical details?

Original Advisory

An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.

Exploitation Scenario

An adversary sends a crafted HTTP request to any endpoint passing user-controlled input to a LangChain agent with PythonAstREPLTool enabled. The payload bypasses the intended AST-based restrictions in _run, causing the underlying Python interpreter to execute arbitrary OS commands on the server. Within seconds: environment variables (OpenAI API keys, DB credentials, AWS tokens) are exfiltrated, a reverse shell is established for persistent C2, and lateral movement begins to connected PostgreSQL or vector store instances — all without credentials or prior foothold.

Weaknesses (CWE)

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Primary

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'): The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

  • [Requirements] Programming languages and supporting technologies might be chosen which are not subject to these issues.
  • [Implementation] Utilize an appropriate mix of allowlist and denylist parsing to filter control-plane syntax from all input.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
August 15, 2023
Last Modified
November 21, 2024
First Seen
August 15, 2023

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed