CVE-2023-39659 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any LangChain deployment using PythonAstREPLTool before v0.0.233 is exposed to unauthenticated remote code execution — full host compromise, zero prerequisites. Patch to v0.0.233+ immediately or remove PythonAstREPLTool from all agent tool configurations. Treat affected hosts as potentially compromised and conduct forensic review of process and network logs.

Risk Assessment

Maximum exploitability: CVSS 9.8, network-accessible, no authentication, no user interaction, low complexity. PythonAstREPLTool is a standard LangChain component widely used in production agents to grant LLMs Python execution capability — exposure is broad. Any internet-facing LangChain deployment is a trivial target for automated scanning and drive-by exploitation. No POC sophistication required.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

1.2%

chance of exploitation in 30 days

Higher than 79% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade LangChain to v0.0.233 or later immediately — no exceptions.
WORKAROUND

If patching is delayed, remove PythonAstREPLTool from all agent tool registries and deny any agent configuration referencing it.
ISOLATE

Run LangChain agents in containers with no network egress, read-only filesystems, and dropped Linux capabilities. Never run as root.
DETECT

Alert on unexpected subprocess spawning, outbound network connections, or file writes from LangChain Python processes. Look for exec/eval patterns in agent input logs.
AUDIT

Inventory all LangChain versions in production, CI/CD, and dev environments. Confirm no pre-0.0.233 instances remain.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Prompt Injection Framework Agent Plugin AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051 - LLM Prompt Injection AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Security Controls

NIST AI RMF

MANAGE-2.2 - AI Risk Treatment

OWASP LLM Top 10

LLM01 - Prompt Injection LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2023-39659?

Any LangChain deployment using PythonAstREPLTool before v0.0.233 is exposed to unauthenticated remote code execution — full host compromise, zero prerequisites. Patch to v0.0.233+ immediately or remove PythonAstREPLTool from all agent tool configurations. Treat affected hosts as potentially compromised and conduct forensic review of process and network logs.

Is CVE-2023-39659 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-39659, increasing the risk of exploitation.

How to fix CVE-2023-39659?

1. PATCH: Upgrade LangChain to v0.0.233 or later immediately — no exceptions. 2. WORKAROUND: If patching is delayed, remove PythonAstREPLTool from all agent tool registries and deny any agent configuration referencing it. 3. ISOLATE: Run LangChain agents in containers with no network egress, read-only filesystems, and dropped Linux capabilities. Never run as root. 4. DETECT: Alert on unexpected subprocess spawning, outbound network connections, or file writes from LangChain Python processes. Look for exec/eval patterns in agent input logs. 5. AUDIT: Inventory all LangChain versions in production, CI/CD, and dev environments. Confirm no pre-0.0.233 instances remain.

What systems are affected by CVE-2023-39659?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM-powered code execution tools, RAG pipelines with tool-use, data processing pipelines, AI-powered developer assistants.

What is the CVSS score for CVE-2023-39659?

CVE-2023-39659 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.20%.

Technical Details

NVD Description

An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.

Exploitation Scenario

An adversary sends a crafted HTTP request to any endpoint passing user-controlled input to a LangChain agent with PythonAstREPLTool enabled. The payload bypasses the intended AST-based restrictions in _run, causing the underlying Python interpreter to execute arbitrary OS commands on the server. Within seconds: environment variables (OpenAI API keys, DB credentials, AWS tokens) are exfiltrated, a reverse shell is established for persistent C2, and lateral movement begins to connected PostgreSQL or vector store instances — all without credentials or prior foothold.