CRITICAL 9.8

PYSEC-2023-147

Details

An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / langchain

Introduced in: 0 Fixed in: 0.0.233

Fix pip install --upgrade 'langchain>=0.0.233'

References

https://github.com/langchain-ai/langchain/issues/7700 [EVIDENCE]
https://github.com/langchain-ai/langchain/issues/7700 [REPORT]
https://github.com/langchain-ai/langchain/pull/5640 [REPORT]
https://github.com/langchain-ai/langchain/pull/5640 [FIX]
https://github.com/advisories/GHSA-prgp-w7vf-ch62 [ADVISORY]