AI Threat Alert

CVE-2024-21513: langchain-experimental: RCE via eval() in VectorSQL chain

HIGH PoC AVAILABLE
Published July 15, 2024
CISO Take

Any deployment using langchain-experimental with VectorSQLDatabaseChain is exposed to remote code execution — upgrade to 0.0.21+ immediately. The attacker needs low-privileged prompt access and the specific chain enabled, so blast radius is scoped but impact is total OS-level compromise. If you cannot patch now, disable VectorSQLDatabaseChain as an emergency workaround.

What is the risk?

High severity (CVSS 8.5) with scoped but realistic exploitability. Attack complexity is high — the adversary must control input prompts AND the target must have VectorSQLDatabaseChain configured, which limits opportunistic exploitation. However, teams running LangChain-based RAG or SQL-grounded chatbots in production routinely expose prompt input to external users, making this condition achievable. Post-exploitation impact is critical: full OS-level code execution with the process's permissions, enabling data exfiltration, lateral movement, and persistent access.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
8.5 / 10
EPSS
1.5%
chance of exploitation in 30 days
Higher than 70% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade langchain-experimental to >= 0.0.21 immediately. The fix (commit 7b13292) removes the unsafe eval() call.

  2. WORKAROUND

    If patching is blocked, disable VectorSQLDatabaseChain entirely and block any code path that instantiates it.

  3. DETECT

    Search codebase for 'VectorSQLDatabaseChain' instantiations; audit all langchain-experimental imports across repos and CI pipelines.

  4. RUNTIME CONTROLS

    Enforce least-privilege on the process running LangChain — restrict filesystem access, outbound network calls, and subprocess execution to minimize post-exploitation blast radius.

  5. INPUT VALIDATION

    Add strict input sanitization on prompt ingestion points regardless of patch status.

  6. DEPENDENCY AUDIT

    Run 'pip show langchain-experimental' across all environments; check lockfiles in requirements.txt, pyproject.toml, and Poetry/Conda configs.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Prompt Injection Data Extraction Framework RAG Agent AML.T0010.001 AML.T0025 AML.T0049 AML.T0050 AML.T0051.001

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.5 - AI system security and resilience
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI risk management
OWASP LLM Top 10
LLM01 - Prompt Injection LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2024-21513?

Any deployment using langchain-experimental with VectorSQLDatabaseChain is exposed to remote code execution — upgrade to 0.0.21+ immediately. The attacker needs low-privileged prompt access and the specific chain enabled, so blast radius is scoped but impact is total OS-level compromise. If you cannot patch now, disable VectorSQLDatabaseChain as an emergency workaround.

Is CVE-2024-21513 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-21513, increasing the risk of exploitation.

How to fix CVE-2024-21513?

1. PATCH: Upgrade langchain-experimental to >= 0.0.21 immediately. The fix (commit 7b13292) removes the unsafe eval() call. 2. WORKAROUND: If patching is blocked, disable VectorSQLDatabaseChain entirely and block any code path that instantiates it. 3. DETECT: Search codebase for 'VectorSQLDatabaseChain' instantiations; audit all langchain-experimental imports across repos and CI pipelines. 4. RUNTIME CONTROLS: Enforce least-privilege on the process running LangChain — restrict filesystem access, outbound network calls, and subprocess execution to minimize post-exploitation blast radius. 5. INPUT VALIDATION: Add strict input sanitization on prompt ingestion points regardless of patch status. 6. DEPENDENCY AUDIT: Run 'pip show langchain-experimental' across all environments; check lockfiles in requirements.txt, pyproject.toml, and Poetry/Conda configs.

What systems are affected by CVE-2024-21513?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, vector databases, LLM-to-SQL interfaces, natural language database query systems.

What is the CVSS score for CVE-2024-21513?

CVE-2024-21513 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 1.47%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksvector databasesLLM-to-SQL interfacesnatural language database query systems

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0051.001 Indirect

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.5
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM01, LLM02

What are the technical details?

Original Advisory

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain. **Notes:** Impact on the Confidentiality, Integrity and Availability of the vulnerable component: Confidentiality: Code execution happens within the impacted component, in this case langchain-experimental, so all resources are necessarily accessible. Integrity: There is nothing protected by the impacted component inherently. Although anything returned from the component counts as 'information' for which the trustworthiness can be compromised. Availability: The loss of availability isn't caused by the attack itself, but it happens as a result during the attacker's post-exploitation steps. Impact on the Confidentiality, Integrity and Availability of the subsequent system: As a legitimate low-privileged user of the package (PR:L) the attacker does not have more access to data owned by the package as a result of this vulnerability than they did with normal usage (e.g. can query the DB). The unintended action that one can perform by breaking out of the app environment and exfiltrating files, making remote connections etc. happens during the post exploitation phase in the subsequent system - in this case, the OS. AT:P: An attacker needs to be able to influence the input prompt, whilst the server is configured with the VectorSQLDatabaseChain plugin.

Exploitation Scenario

An adversary with low-privilege access to a RAG-based enterprise chatbot crafts a prompt designed to surface malicious data from the vector-SQL backend. The VectorSQLDatabaseChain processes the query, retrieves values from the database, and passes them directly to Python's eval(). If the attacker has previously inserted a malicious record into the database (via a separate injection or by controlling any upstream data source), or if the query result set can be shaped through prompt crafting to return a string containing Python code, eval() executes it server-side. The attacker's payload spawns a reverse shell or exfiltrates environment variables (API keys, DB credentials, cloud tokens) over an outbound HTTP request — all from within the legitimate application process.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

  • [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
  • [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
July 15, 2024
Last Modified
November 21, 2024
First Seen
July 15, 2024

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed