CVE-2024-46946

CRITICAL

Published September 19, 2024

langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain....

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain-experimental	pip	—	No patch

Do you use langchain-experimental? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

N/A

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).

Weaknesses (CWE)

CWE-20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

cwe.mitre.org/data/definitions/95.html
Not Applicable
docs.sympy.org/latest/modules/codegen.html
Technical
gist.github.com/12end/68c0c58d2564ef4141bccd4651480820
Exploit 3rd Party
github.com/langchain-ai/langchain/releases/tag/langchain-experimental%3D%3D0.3.0
Release

Timeline

Published

September 19, 2024

Last Modified

July 16, 2025

First Seen

September 19, 2024

Back to Threat Feed