CVE-2024-21513 — HIGH (CVSS 8.5) AI Security Vulnerability

CISO Take

Any deployment using langchain-experimental with VectorSQLDatabaseChain is exposed to remote code execution — upgrade to 0.0.21+ immediately. The attacker needs low-privileged prompt access and the specific chain enabled, so blast radius is scoped but impact is total OS-level compromise. If you cannot patch now, disable VectorSQLDatabaseChain as an emergency workaround.

Risk Assessment

High severity (CVSS 8.5) with scoped but realistic exploitability. Attack complexity is high — the adversary must control input prompts AND the target must have VectorSQLDatabaseChain configured, which limits opportunistic exploitation. However, teams running LangChain-based RAG or SQL-grounded chatbots in production routinely expose prompt input to external users, making this condition achievable. Post-exploitation impact is critical: full OS-level code execution with the process's permissions, enabling data exfiltration, lateral movement, and persistent access.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain-experimental	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain-experimental? You're affected.

Severity & Risk

CVSS 3.1

8.5 / 10

EPSS

16.7%

chance of exploitation in 30 days

Higher than 95% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 17%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR Low

UI None

S Changed

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade langchain-experimental to >= 0.0.21 immediately. The fix (commit 7b13292) removes the unsafe eval() call.
WORKAROUND

If patching is blocked, disable VectorSQLDatabaseChain entirely and block any code path that instantiates it.
DETECT

Search codebase for 'VectorSQLDatabaseChain' instantiations; audit all langchain-experimental imports across repos and CI pipelines.
RUNTIME CONTROLS

Enforce least-privilege on the process running LangChain — restrict filesystem access, outbound network calls, and subprocess execution to minimize post-exploitation blast radius.
INPUT VALIDATION

Add strict input sanitization on prompt ingestion points regardless of patch status.
DEPENDENCY AUDIT

Run 'pip show langchain-experimental' across all environments; check lockfiles in requirements.txt, pyproject.toml, and Poetry/Conda configs.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Prompt Injection Data Extraction Framework RAG Agent AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051.001 - Indirect

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.5 - AI system security and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk management

OWASP LLM Top 10

LLM01 - Prompt Injection LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2024-21513?

Any deployment using langchain-experimental with VectorSQLDatabaseChain is exposed to remote code execution — upgrade to 0.0.21+ immediately. The attacker needs low-privileged prompt access and the specific chain enabled, so blast radius is scoped but impact is total OS-level compromise. If you cannot patch now, disable VectorSQLDatabaseChain as an emergency workaround.

Is CVE-2024-21513 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-21513, increasing the risk of exploitation.

How to fix CVE-2024-21513?

1. PATCH: Upgrade langchain-experimental to >= 0.0.21 immediately. The fix (commit 7b13292) removes the unsafe eval() call. 2. WORKAROUND: If patching is blocked, disable VectorSQLDatabaseChain entirely and block any code path that instantiates it. 3. DETECT: Search codebase for 'VectorSQLDatabaseChain' instantiations; audit all langchain-experimental imports across repos and CI pipelines. 4. RUNTIME CONTROLS: Enforce least-privilege on the process running LangChain — restrict filesystem access, outbound network calls, and subprocess execution to minimize post-exploitation blast radius. 5. INPUT VALIDATION: Add strict input sanitization on prompt ingestion points regardless of patch status. 6. DEPENDENCY AUDIT: Run 'pip show langchain-experimental' across all environments; check lockfiles in requirements.txt, pyproject.toml, and Poetry/Conda configs.

What systems are affected by CVE-2024-21513?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, vector databases, LLM-to-SQL interfaces, natural language database query systems.

What is the CVSS score for CVE-2024-21513?

CVE-2024-21513 has a CVSS v3.1 base score of 8.5 (HIGH). The EPSS exploitation probability is 16.65%.

Technical Details

NVD Description

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain. **Notes:** Impact on the Confidentiality, Integrity and Availability of the vulnerable component: Confidentiality: Code execution happens within the impacted component, in this case langchain-experimental, so all resources are necessarily accessible. Integrity: There is nothing protected by the impacted component inherently. Although anything returned from the component counts as 'information' for which the trustworthiness can be compromised. Availability: The loss of availability isn't caused by the attack itself, but it happens as a result during the attacker's post-exploitation steps. Impact on the Confidentiality, Integrity and Availability of the subsequent system: As a legitimate low-privileged user of the package (PR:L) the attacker does not have more access to data owned by the package as a result of this vulnerability than they did with normal usage (e.g. can query the DB). The unintended action that one can perform by breaking out of the app environment and exfiltrating files, making remote connections etc. happens during the post exploitation phase in the subsequent system - in this case, the OS. AT:P: An attacker needs to be able to influence the input prompt, whilst the server is configured with the VectorSQLDatabaseChain plugin.

Exploitation Scenario

An adversary with low-privilege access to a RAG-based enterprise chatbot crafts a prompt designed to surface malicious data from the vector-SQL backend. The VectorSQLDatabaseChain processes the query, retrieves values from the database, and passes them directly to Python's eval(). If the attacker has previously inserted a malicious record into the database (via a separate injection or by controlling any upstream data source), or if the query result set can be shaped through prompt crafting to return a string containing Python code, eval() executes it server-side. The attacker's payload spawns a reverse shell or exfiltrates environment variables (API keys, DB credentials, cloud tokens) over an outbound HTTP request — all from within the legitimate application process.