Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/75474?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/75474?format=api", "purl": "pkg:pypi/langchain@0.0.19", "type": "pypi", "namespace": "", "name": "langchain", "version": "0.0.19", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.3.30", "latest_non_vulnerable_version": "0.3.30", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/139377?format=api", "vulnerability_id": "VCID-1618-rc62-rke9", "summary": "An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39659", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0161", "scoring_system": "epss", "scoring_elements": "0.82173", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39659" }, { "reference_url": "https://github.com/advisories/GHSA-prgp-w7vf-ch62", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-prgp-w7vf-ch62" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/cadfce295f8a33828fc635c2e5ea28b883e5c992", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/cadfce295f8a33828fc635c2e5ea28b883e5c992" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/12427", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/12427" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.325", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.325" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-147.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-147.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39659", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39659" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/5640", "reference_id": "5640", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-08T20:27:51Z/" } ], "url": "https://github.com/langchain-ai/langchain/pull/5640" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/7700", "reference_id": "7700", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-08T20:27:51Z/" } ], "url": "https://github.com/langchain-ai/langchain/issues/7700" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76556?format=api", "purl": "pkg:pypi/langchain@0.0.233", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-h3je-vmhg-x7bv" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-vrea-ew6n-vyf9" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.233" }, { "url": "http://public2.vulnerablecode.io/api/packages/83066?format=api", "purl": "pkg:pypi/langchain@0.0.325", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.325" } ], "aliases": [ "CVE-2023-39659", "GHSA-prgp-w7vf-ch62", "PYSEC-2023-147" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1618-rc62-rke9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39718?format=api", "vulnerability_id": "VCID-2rhm-rh9f-13b7", "summary": "LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28088", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.13435", "scoring_system": "epss", "scoring_elements": "0.94359", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28088" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/e1924b3e93d513ca950c72f8e80e1c133749fba5" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain-core/PYSEC-2024-45.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-43.yaml" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/18600", "reference_id": "18600", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-07T19:36:26Z/" } ], "url": "https://github.com/langchain-ai/langchain/pull/18600" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28088", "reference_id": "CVE-2024-28088", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28088" }, { "reference_url": "https://github.com/advisories/GHSA-h59x-p739-982c", "reference_id": "GHSA-h59x-p739-982c", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h59x-p739-982c" }, { "reference_url": "https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py", "reference_id": "loading.py", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-07T19:36:26Z/" } ], "url": "https://github.com/langchain-ai/langchain/blob/f96dd57501131840b713ed7c2e86cbf1ddc2761f/libs/core/langchain_core/utils/loading.py" }, { "reference_url": "https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md", "reference_id": "README.md", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-07T19:36:26Z/" } ], "url": "https://github.com/PinkDraconian/PoC-Langchain-RCE/blob/main/README.md" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29504?format=api", "purl": "pkg:pypi/langchain@0.0.339", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.339" }, { "url": "http://public2.vulnerablecode.io/api/packages/83113?format=api", "purl": "pkg:pypi/langchain@0.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.11" } ], "aliases": [ "CVE-2024-28088", "GHSA-h59x-p739-982c", "PYSEC-2024-43", "PYSEC-2024-45" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2rhm-rh9f-13b7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64019?format=api", "vulnerability_id": "VCID-449d-vdfh-x7fd", "summary": "langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3571", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01915", "scoring_system": "epss", "scoring_elements": "0.83705", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3571" }, { "reference_url": "https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8", "reference_id": "2df3acdc-ee4f-4257-bbf8-a7de3870a9d8", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-17T19:16:15Z/" } ], "url": "https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/aad3d8bd47d7f5598156ff2bdcc8f736f24a7412", "reference_id": "aad3d8bd47d7f5598156ff2bdcc8f736f24a7412", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-17T19:16:15Z/" } ], "url": "https://github.com/langchain-ai/langchain/commit/aad3d8bd47d7f5598156ff2bdcc8f736f24a7412" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3571", "reference_id": "CVE-2024-3571", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3571" }, { "reference_url": "https://github.com/advisories/GHSA-rgp8-pm28-3759", "reference_id": "GHSA-rgp8-pm28-3759", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rgp8-pm28-3759" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30391?format=api", "purl": "pkg:pypi/langchain@0.0.353", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.353" } ], "aliases": [ "CVE-2024-3571", "GHSA-rgp8-pm28-3759" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-449d-vdfh-x7fd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/136683?format=api", "vulnerability_id": "VCID-8jk9-a8mt-mke3", "summary": "An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36258", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00741", "scoring_system": "epss", "scoring_elements": "0.7342", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36258" }, { "reference_url": "https://github.com/advisories/GHSA-2qmj-7962-cjq8", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2qmj-7962-cjq8" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5872#issuecomment-1697785619", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/issues/5872#issuecomment-1697785619" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/6003", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/6003" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/7870", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/7870" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-98.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36258", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36258" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/5872", "reference_id": "5872", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-22T16:45:46Z/" } ], "url": "https://github.com/hwchase17/langchain/issues/5872" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76572?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-36258", "GHSA-2qmj-7962-cjq8", "PYSEC-2023-98" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8jk9-a8mt-mke3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/58351?format=api", "vulnerability_id": "VCID-9879-hp1u-47ds", "summary": "With the following crawler configuration:\n\n```python\nfrom bs4 import BeautifulSoup as Soup\n\nurl = \"https://example.com\"\nloader = RecursiveUrlLoader(\n url=url, max_depth=2, extractor=lambda x: Soup(x, \"html.parser\").text\n)\ndocs = loader.load()\n```\n\nAn attacker in control of the contents of `https://example.com` could place a malicious HTML file in there with links like \"https://example.completely.different/my_file.html\" and the crawler would proceed to download that file as well even though `prevent_outside=True`.\n\nhttps://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51\n\nResolved in https://github.com/langchain-ai/langchain/pull/15559", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0243", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00094", "scoring_system": "epss", "scoring_elements": "0.26218", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-0243" }, { "reference_url": "https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/blob/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22/libs/community/langchain_community/document_loaders/recursive_url_loader.py#L51-L51" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain-exa/PYSEC-2024-235.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain-exa/PYSEC-2024-235.yaml" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/15559", "reference_id": "15559", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-26T18:43:11Z/" } ], "url": "https://github.com/langchain-ai/langchain/pull/15559" }, { "reference_url": "https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e1ca861", "reference_id": "370904e7-10ac-40a4-a8d4-e2d16e1ca861", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-26T18:43:11Z/" } ], "url": "https://huntr.com/bounties/370904e7-10ac-40a4-a8d4-e2d16e1ca861" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22", "reference_id": "bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-26T18:43:11Z/" } ], "url": "https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0243", "reference_id": "CVE-2024-0243", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0243" }, { "reference_url": "https://github.com/advisories/GHSA-h9j7-5xvc-qhg5", "reference_id": "GHSA-h9j7-5xvc-qhg5", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h9j7-5xvc-qhg5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29315?format=api", "purl": "pkg:pypi/langchain@0.1.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.0" } ], "aliases": [ "CVE-2024-0243", "GHSA-h9j7-5xvc-qhg5", "PYSEC-2024-235" ], "risk_score": 3.6, "exploitability": "0.5", "weighted_severity": "7.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9879-hp1u-47ds" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/38824?format=api", "vulnerability_id": "VCID-9jxh-pfnm-w7gk", "summary": "A vulnerability in the FAISS.deserialize_from_bytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects the latest version of the product.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-5998", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0009", "scoring_system": "epss", "scoring_elements": "0.25571", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-5998" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/77209f315efd13442ec51c67719ba37dfaa44511", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/77209f315efd13442ec51c67719ba37dfaa44511" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7", "reference_id": "604dfe2d99246b0c09f047c604f0c63eafba31e7", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "5.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T13:28:59Z/" } ], "url": "https://github.com/langchain-ai/langchain/commit/604dfe2d99246b0c09f047c604f0c63eafba31e7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5998", "reference_id": "CVE-2024-5998", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5998" }, { "reference_url": "https://huntr.com/bounties/fa3a2753-57c3-4e08-a176-d7a3ffda28fe", "reference_id": "fa3a2753-57c3-4e08-a176-d7a3ffda28fe", "reference_type": "", "scores": [ { "value": "5.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "5.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L" }, { "value": "8.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-17T13:28:59Z/" } ], "url": "https://huntr.com/bounties/fa3a2753-57c3-4e08-a176-d7a3ffda28fe" }, { "reference_url": "https://github.com/advisories/GHSA-f2jm-rw3h-6phg", "reference_id": "GHSA-f2jm-rw3h-6phg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f2jm-rw3h-6phg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86193?format=api", "purl": "pkg:pypi/langchain@0.2.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.10" } ], "aliases": [ "CVE-2024-5998", "GHSA-f2jm-rw3h-6phg" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9jxh-pfnm-w7gk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/142284?format=api", "vulnerability_id": "VCID-9yh8-14yh-abhr", "summary": "Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34541", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00166", "scoring_system": "epss", "scoring_elements": "0.37396", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34541" }, { "reference_url": "https://github.com/advisories/GHSA-6643-h7h5-x9wh", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6643-h7h5-x9wh" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/4849", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/issues/4849" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/4849#issuecomment-1697896569", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/issues/4849#issuecomment-1697896569" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-92.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-92.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34541", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34541" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/4849", "reference_id": "4849", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-12-09T21:10:29Z/" } ], "url": "https://github.com/hwchase17/langchain/issues/4849" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76572?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-34541", "GHSA-6643-h7h5-x9wh", "PYSEC-2023-92" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9yh8-14yh-abhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64034?format=api", "vulnerability_id": "VCID-cx6s-pyn2-cqcj", "summary": "A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This flaw enables attackers to execute port scans, access local services, and in some scenarios, read instance metadata from cloud environments. The vulnerability is particularly concerning as it can be exploited to abuse the Web Explorer server as a proxy for web attacks on third parties and interact with servers in the local network, including reading their response data. This could potentially lead to arbitrary code execution, depending on the nature of the local services. The vulnerability is limited to GET requests, as POST requests are not possible, but the impact on confidentiality, integrity, and availability is significant due to the potential for stolen credentials and state-changing interactions with internal APIs.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3095", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00163", "scoring_system": "epss", "scoring_elements": "0.37018", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3095" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/24451", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/24451" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-community%3D%3D0.2.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-community%3D%3D0.2.9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3095", "reference_id": "CVE-2024-3095", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3095" }, { "reference_url": "https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273", "reference_id": "e62d4895-2901-405b-9559-38276b6a5273", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-07T18:54:30Z/" } ], "url": "https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273" }, { "reference_url": "https://github.com/advisories/GHSA-q25c-c977-4cmh", "reference_id": "GHSA-q25c-c977-4cmh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q25c-c977-4cmh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83108?format=api", "purl": "pkg:pypi/langchain@0.1.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.1.6" } ], "aliases": [ "CVE-2024-3095", "GHSA-q25c-c977-4cmh" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cx6s-pyn2-cqcj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/63275?format=api", "vulnerability_id": "VCID-d5qc-zvmu-rkde", "summary": "A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-2965.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-2965.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2965", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11719", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2965" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/9a877c7adbd06f90a2518152f65b562bd90487cc", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/9a877c7adbd06f90a2518152f65b562bd90487cc" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/22903", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/22903" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-118.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-118.yaml" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373306", "reference_id": "2373306", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373306" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82", "reference_id": "73c42306745b0831aa6fe7fe4eeb70d2c2d87a82", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-07T13:30:27Z/" } ], "url": "https://github.com/langchain-ai/langchain/commit/73c42306745b0831aa6fe7fe4eeb70d2c2d87a82" }, { "reference_url": "https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae", "reference_id": "90b0776d-9fa6-4841-aac4-09fde5918cae", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-07T13:30:27Z/" } ], "url": "https://huntr.com/bounties/90b0776d-9fa6-4841-aac4-09fde5918cae" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2965", "reference_id": "CVE-2024-2965", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2965" }, { "reference_url": "https://github.com/advisories/GHSA-3hjh-jh2h-vrg6", "reference_id": "GHSA-3hjh-jh2h-vrg6", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3hjh-jh2h-vrg6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32037?format=api", "purl": "pkg:pypi/langchain@0.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.5" } ], "aliases": [ "CVE-2024-2965", "GHSA-3hjh-jh2h-vrg6", "PYSEC-2024-118" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d5qc-zvmu-rkde" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360837?format=api", "vulnerability_id": "VCID-dg53-vte1-zyfy", "summary": "Langchain SQL Injection vulnerability\nIn Langchain before 0.0.247, prompt injection allows execution of arbitrary code against the SQL service provided by the chain.", "references": [ { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32785", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32785" }, { "reference_url": "https://github.com/advisories/GHSA-8h5w-f6q9-wg35", "reference_id": "GHSA-8h5w-f6q9-wg35", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8h5w-f6q9-wg35" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76572?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-32785", "GHSA-8h5w-f6q9-wg35" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dg53-vte1-zyfy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/143132?format=api", "vulnerability_id": "VCID-ebf6-jbty-7bbr", "summary": "In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32786", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00135", "scoring_system": "epss", "scoring_elements": "0.33167", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-32786" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/12747", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/12747" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.329", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.329" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32786", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32786" }, { "reference_url": "https://gist.github.com/rharang/d265f46fc3161b31ac2e81db44d662e1", "reference_id": "d265f46fc3161b31ac2e81db44d662e1", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-12T17:54:35Z/" } ], "url": "https://gist.github.com/rharang/d265f46fc3161b31ac2e81db44d662e1" }, { "reference_url": "https://github.com/advisories/GHSA-6h8p-4hx9-w66c", "reference_id": "GHSA-6h8p-4hx9-w66c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6h8p-4hx9-w66c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76479?format=api", "purl": "pkg:pypi/langchain@0.0.156", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-h3je-vmhg-x7bv" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qkx6-aewg-ryhb" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-vrea-ew6n-vyf9" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.156" }, { "url": "http://public2.vulnerablecode.io/api/packages/83069?format=api", "purl": "pkg:pypi/langchain@0.0.329", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.329" } ], "aliases": [ "CVE-2023-32786", "GHSA-6h8p-4hx9-w66c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ebf6-jbty-7bbr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70061?format=api", "vulnerability_id": "VCID-enm9-kr4g-hbbz", "summary": "LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45134", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.11071", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-45134" }, { "reference_url": "https://github.com/langchain-ai/langsmith-sdk", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langsmith-sdk" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45134", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45134" }, { "reference_url": "https://github.com/advisories/GHSA-3644-q5cj-c5c7", "reference_id": "GHSA-3644-q5cj-c5c7", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3644-q5cj-c5c7" }, { "reference_url": "https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-3644-q5cj-c5c7", "reference_id": "GHSA-3644-q5cj-c5c7", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T18:13:39Z/" } ], "url": "https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-3644-q5cj-c5c7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376149?format=api", "purl": "pkg:pypi/langchain@0.3.30", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.3.30" } ], "aliases": [ "CVE-2026-45134", "GHSA-3644-q5cj-c5c7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-enm9-kr4g-hbbz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/131880?format=api", "vulnerability_id": "VCID-h3je-vmhg-x7bv", "summary": "An issue in Harrison Chase langchain v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38896", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01059", "scoring_system": "epss", "scoring_elements": "0.78045", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38896" }, { "reference_url": "https://github.com/advisories/GHSA-92j5-3459-qgp4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-92j5-3459-qgp4" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-146.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-146.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38896", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38896" }, { "reference_url": "https://twitter.com/llm_sec/status/1668711587287375876", "reference_id": "1668711587287375876", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-09T13:02:00Z/" } ], "url": "https://twitter.com/llm_sec/status/1668711587287375876" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/5872", "reference_id": "5872", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-09T13:02:00Z/" } ], "url": "https://github.com/hwchase17/langchain/issues/5872" }, { "reference_url": "https://github.com/hwchase17/langchain/pull/6003", "reference_id": "6003", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-09T13:02:00Z/" } ], "url": "https://github.com/hwchase17/langchain/pull/6003" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76518?format=api", "purl": "pkg:pypi/langchain@0.0.195", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-h3je-vmhg-x7bv" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qkx6-aewg-ryhb" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-vrea-ew6n-vyf9" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.195" }, { "url": "http://public2.vulnerablecode.io/api/packages/76559?format=api", "purl": "pkg:pypi/langchain@0.0.236", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236" } ], "aliases": [ "CVE-2023-38896", "GHSA-92j5-3459-qgp4", "PYSEC-2023-146" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h3je-vmhg-x7bv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34421?format=api", "vulnerability_id": "VCID-hxnj-z9jr-kue7", "summary": "A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-8309.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-8309.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8309", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02002", "scoring_system": "epss", "scoring_elements": "0.84044", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8309" }, { "reference_url": "https://github.com/advisories/GHSA-45pg-36p6-83v9", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://github.com/advisories/GHSA-45pg-36p6-83v9" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/64c317eba05fbac0c6a6fc5aa192bc0d7130972e", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/64c317eba05fbac0c6a6fc5aa192bc0d7130972e" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-115.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2024-115.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8309", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8309" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322452", "reference_id": "2322452", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322452" }, { "reference_url": "https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5", "reference_id": "8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:50:16Z/" } ], "url": "https://huntr.com/bounties/8f4ad910-7fdc-4089-8f0a-b5df5f32e7c5" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255", "reference_id": "c2a3021bb0c5f54649d380b42a0684ca5778c255", "reference_type": "", "scores": [ { "value": "4.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "4.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:50:16Z/" } ], "url": "https://github.com/langchain-ai/langchain/commit/c2a3021bb0c5f54649d380b42a0684ca5778c255" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83759?format=api", "purl": "pkg:pypi/langchain@0.2.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.2.0" } ], "aliases": [ "CVE-2024-8309", "GHSA-45pg-36p6-83v9", "PYSEC-2024-115" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hxnj-z9jr-kue7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/136789?format=api", "vulnerability_id": "VCID-jpa5-z25b-u3d3", "summary": "SQL injection vulnerability in langchain before v0.0.247 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36189", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00163", "scoring_system": "epss", "scoring_elements": "0.37042", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36189" }, { "reference_url": "https://github.com/advisories/GHSA-7q94-qpjr-xpgm", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7q94-qpjr-xpgm" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5923", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/issues/5923" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-110.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-110.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36189", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36189" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/5923", "reference_id": "5923", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:03Z/" } ], "url": "https://github.com/hwchase17/langchain/issues/5923" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5923#issuecomment-1696053841", "reference_id": "5923#issuecomment-1696053841", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:03Z/" } ], "url": "https://github.com/langchain-ai/langchain/issues/5923#issuecomment-1696053841" }, { "reference_url": "https://github.com/hwchase17/langchain/pull/6051", "reference_id": "6051", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:03Z/" } ], "url": "https://github.com/hwchase17/langchain/pull/6051" }, { "reference_url": "https://gist.github.com/rharang/9c58d39db8c01db5b7c888e467c0533f", "reference_id": "9c58d39db8c01db5b7c888e467c0533f", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:03Z/" } ], "url": "https://gist.github.com/rharang/9c58d39db8c01db5b7c888e467c0533f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76572?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-36189", "GHSA-7q94-qpjr-xpgm", "PYSEC-2023-110" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jpa5-z25b-u3d3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/136383?format=api", "vulnerability_id": "VCID-n4zy-w2mg-f3hx", "summary": "An issue in langchain v.0.0.64 allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36188", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.11195", "scoring_system": "epss", "scoring_elements": "0.93669", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36188" }, { "reference_url": "https://github.com/advisories/GHSA-57fc-8q82-gfp3", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-57fc-8q82-gfp3" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/6003", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/6003" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-109.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-109.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36188", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36188" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/5872", "reference_id": "5872", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-19T19:03:12Z/" } ], "url": "https://github.com/hwchase17/langchain/issues/5872" }, { "reference_url": "https://github.com/hwchase17/langchain/pull/6003", "reference_id": "6003", "reference_type": "", "scores": [ { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-19T19:03:12Z/" } ], "url": "https://github.com/hwchase17/langchain/pull/6003" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75519?format=api", "purl": "pkg:pypi/langchain@0.0.65", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-ebf6-jbty-7bbr" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-h3je-vmhg-x7bv" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qkx6-aewg-ryhb" }, { "vulnerability": "VCID-qq81-myur-z7f9" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-vrea-ew6n-vyf9" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.65" }, { "url": "http://public2.vulnerablecode.io/api/packages/76559?format=api", "purl": "pkg:pypi/langchain@0.0.236", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236" }, { "url": "http://public2.vulnerablecode.io/api/packages/76572?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-36188", "GHSA-57fc-8q82-gfp3", "PYSEC-2023-109" ], "risk_score": 0.1, "exploitability": "0.5", "weighted_severity": "0.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n4zy-w2mg-f3hx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218335?format=api", "vulnerability_id": "VCID-qkx6-aewg-ryhb", "summary": "Langchain 0.0.171 is vulnerable to Arbitrary Code Execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34540", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0187", "scoring_system": "epss", "scoring_elements": "0.83513", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-34540" }, { "reference_url": "https://github.com/advisories/GHSA-x32c-59v5-h7fg", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x32c-59v5-h7fg" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/4833", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hwchase17/langchain/issues/4833" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/a2f191a32229256dd41deadf97786fe41ce04cbb", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/a2f191a32229256dd41deadf97786fe41ce04cbb" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/4833", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/issues/4833" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/6992", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/6992" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.225", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.225" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-91.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-91.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34540", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34540" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76548?format=api", "purl": "pkg:pypi/langchain@0.0.225", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-h3je-vmhg-x7bv" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-vrea-ew6n-vyf9" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.225" } ], "aliases": [ "CVE-2023-34540", "GHSA-x32c-59v5-h7fg", "PYSEC-2023-91" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qkx6-aewg-ryhb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/140529?format=api", "vulnerability_id": "VCID-qq81-myur-z7f9", "summary": "In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec method.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29374", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03769", "scoring_system": "epss", "scoring_elements": "0.88308", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-29374" }, { "reference_url": "https://github.com/advisories/GHSA-fprp-p869-w6q2", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fprp-p869-w6q2" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-18.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-18.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29374", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29374" }, { "reference_url": "https://twitter.com/rharang/status/1641899743608463365/photo/1", "reference_id": "1", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:14:23Z/" } ], "url": "https://twitter.com/rharang/status/1641899743608463365/photo/1" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/1026", "reference_id": "1026", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:14:23Z/" } ], "url": "https://github.com/hwchase17/langchain/issues/1026" }, { "reference_url": "https://github.com/hwchase17/langchain/pull/1119", "reference_id": "1119", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:14:23Z/" } ], "url": "https://github.com/hwchase17/langchain/pull/1119" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/814", "reference_id": "814", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-12T16:14:23Z/" } ], "url": "https://github.com/hwchase17/langchain/issues/814" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/75589?format=api", "purl": "pkg:pypi/langchain@0.0.132", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-ebf6-jbty-7bbr" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-h3je-vmhg-x7bv" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qkx6-aewg-ryhb" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-vrea-ew6n-vyf9" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.132" } ], "aliases": [ "CVE-2023-29374", "GHSA-fprp-p869-w6q2", "PYSEC-2023-18" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qq81-myur-z7f9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/132569?format=api", "vulnerability_id": "VCID-qvyx-jcxw-sbdh", "summary": "LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46229.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46229.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46229", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01752", "scoring_system": "epss", "scoring_elements": "0.82978", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46229" }, { "reference_url": "https://github.com/advisories/GHSA-655w-fm8m-m478", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-655w-fm8m-m478" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-205.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46229", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46229" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/11925", "reference_id": "11925", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-12T18:06:03Z/" } ], "url": "https://github.com/langchain-ai/langchain/pull/11925" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2390135", "reference_id": "2390135", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2390135" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8", "reference_id": "9ecb7240a480720ec9d739b3877a52f76098a2b8", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-12T18:06:03Z/" } ], "url": "https://github.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79527?format=api", "purl": "pkg:pypi/langchain@0.0.317", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.317" } ], "aliases": [ "CVE-2023-46229", "GHSA-655w-fm8m-m478", "PYSEC-2023-205" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qvyx-jcxw-sbdh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/136626?format=api", "vulnerability_id": "VCID-s4wf-9m6c-8yay", "summary": "An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to __subclasses__ or a template.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36281", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.62245", "scoring_system": "epss", "scoring_elements": "0.98385", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36281" }, { "reference_url": "https://github.com/advisories/GHSA-7gfq-f96f-g85j", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7gfq-f96f-g85j" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/22abeb9f6cc555591bf8e92b5e328e43aa07ff6c", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/22abeb9f6cc555591bf8e92b5e328e43aa07ff6c" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/10252", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/10252" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-151.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-151.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36281", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36281" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/4394", "reference_id": "4394", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2023-12-13T16:27:50Z/" } ], "url": "https://github.com/hwchase17/langchain/issues/4394" }, { "reference_url": "https://aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55", "reference_id": "LangChain-2e6244a313dd46139c5ef28cbcab9e55", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2023-12-13T16:27:50Z/" } ], "url": "https://aisec.today/LangChain-2e6244a313dd46139c5ef28cbcab9e55" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.312", "reference_id": "v0.0.312", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2023-12-13T16:27:50Z/" } ], "url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.312" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76494?format=api", "purl": "pkg:pypi/langchain@0.0.171", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-h3je-vmhg-x7bv" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qkx6-aewg-ryhb" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-vrea-ew6n-vyf9" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.171" }, { "url": "http://public2.vulnerablecode.io/api/packages/79522?format=api", "purl": "pkg:pypi/langchain@0.0.312", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.312" } ], "aliases": [ "CVE-2023-36281", "GHSA-7gfq-f96f-g85j", "PYSEC-2023-151" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s4wf-9m6c-8yay" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/139375?format=api", "vulnerability_id": "VCID-tvj5-fy4j-yqar", "summary": "An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39631", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01754", "scoring_system": "epss", "scoring_elements": "0.82988", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-39631" }, { "reference_url": "https://github.com/advisories/GHSA-f73w-4m7g-ch9x", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f73w-4m7g-ch9x" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/11302", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/11302" }, { "reference_url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.308", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/releases/tag/v0.0.308" }, { "reference_url": "https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pydata/numexpr/commit/4b2d89cf14e75030d27629925b9998e1e91d23c7" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-162.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/numexpr/PYSEC-2023-163.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39631", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39631" }, { "reference_url": "https://github.com/pydata/numexpr/issues/442", "reference_id": "442", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-01T13:18:27Z/" } ], "url": "https://github.com/pydata/numexpr/issues/442" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/8363", "reference_id": "8363", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-01T13:18:27Z/" } ], "url": "https://github.com/langchain-ai/langchain/issues/8363" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78006?format=api", "purl": "pkg:pypi/langchain@0.0.308", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.308" } ], "aliases": [ "CVE-2023-39631", "GHSA-f73w-4m7g-ch9x", "PYSEC-2023-162", "PYSEC-2023-163" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tvj5-fy4j-yqar" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/218390?format=api", "vulnerability_id": "VCID-uhwf-4hp8-63gv", "summary": "A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.", "references": [], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/86204?format=api", "purl": "pkg:pypi/langchain@0.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-enm9-kr4g-hbbz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.3.1" } ], "aliases": [ "PYSEC-2024-114" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uhwf-4hp8-63gv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/136692?format=api", "vulnerability_id": "VCID-vrea-ew6n-vyf9", "summary": "An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36095", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03155", "scoring_system": "epss", "scoring_elements": "0.87194", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-36095" }, { "reference_url": "https://github.com/advisories/GHSA-gwqq-6vq7-5j86", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gwqq-6vq7-5j86" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/8ba9835b925473655914f63822775679e03ea137" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/e294ba475a355feb95003ed8f1a2b99942509a9e" }, { "reference_url": "https://github.com/langchain-ai/langchain/commits/v0.0.236?after=4d8b48bdb3f17c764c5c2e3c7140071603869e74+34&branch=v0.0.236&qualified_name=refs%2Ftags%2Fv0.0.236", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commits/v0.0.236?after=4d8b48bdb3f17c764c5c2e3c7140071603869e74+34&branch=v0.0.236&qualified_name=refs%2Ftags%2Fv0.0.236" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/6003", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/6003" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/7870", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/7870" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-138.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-138.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36095", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36095" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/5872", "reference_id": "5872", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-17T14:46:57Z/" } ], "url": "https://github.com/langchain-ai/langchain/issues/5872" }, { "reference_url": "https://github.com/hwchase17/langchain", "reference_id": "langchain", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-17T14:46:57Z/" } ], "url": "https://github.com/hwchase17/langchain" }, { "reference_url": "http://langchain.com", "reference_id": "langchain.com", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-17T14:46:57Z/" } ], "url": "http://langchain.com" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76559?format=api", "purl": "pkg:pypi/langchain@0.0.236", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-8jk9-a8mt-mke3" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-9yh8-14yh-abhr" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-dg53-vte1-zyfy" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-jpa5-z25b-u3d3" }, { "vulnerability": "VCID-n4zy-w2mg-f3hx" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" }, { "vulnerability": "VCID-zh5c-9jvd-jfhz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.236" } ], "aliases": [ "CVE-2023-36095", "GHSA-gwqq-6vq7-5j86", "PYSEC-2023-138" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vrea-ew6n-vyf9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/131832?format=api", "vulnerability_id": "VCID-zh5c-9jvd-jfhz", "summary": "An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38860", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01824", "scoring_system": "epss", "scoring_elements": "0.83292", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-38860" }, { "reference_url": "https://github.com/advisories/GHSA-fj32-q626-pjjc", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fj32-q626-pjjc" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/d353d668e4b0514122a443cef91de7f76fea4245", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/d353d668e4b0514122a443cef91de7f76fea4245" }, { "reference_url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/commit/fab24457bcf8ede882abd11419769c92bc4e7751" }, { "reference_url": "https://github.com/langchain-ai/langchain/issues/7641", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/issues/7641" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8092", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/8092" }, { "reference_url": "https://github.com/langchain-ai/langchain/pull/8425", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/langchain-ai/langchain/pull/8425" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-145.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/langchain/PYSEC-2023-145.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38860", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38860" }, { "reference_url": "https://github.com/hwchase17/langchain/issues/7641", "reference_id": "7641", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-10-09T13:16:43Z/" } ], "url": "https://github.com/hwchase17/langchain/issues/7641" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76572?format=api", "purl": "pkg:pypi/langchain@0.0.247", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1618-rc62-rke9" }, { "vulnerability": "VCID-2rhm-rh9f-13b7" }, { "vulnerability": "VCID-449d-vdfh-x7fd" }, { "vulnerability": "VCID-9879-hp1u-47ds" }, { "vulnerability": "VCID-9jxh-pfnm-w7gk" }, { "vulnerability": "VCID-cx6s-pyn2-cqcj" }, { "vulnerability": "VCID-d5qc-zvmu-rkde" }, { "vulnerability": "VCID-enm9-kr4g-hbbz" }, { "vulnerability": "VCID-hxnj-z9jr-kue7" }, { "vulnerability": "VCID-qvyx-jcxw-sbdh" }, { "vulnerability": "VCID-s4wf-9m6c-8yay" }, { "vulnerability": "VCID-tvj5-fy4j-yqar" }, { "vulnerability": "VCID-uhwf-4hp8-63gv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.247" } ], "aliases": [ "CVE-2023-38860", "GHSA-fj32-q626-pjjc", "PYSEC-2023-145" ], "risk_score": 4.4, "exploitability": "0.5", "weighted_severity": "8.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zh5c-9jvd-jfhz" } ], "fixing_vulnerabilities": [], "risk_score": "4.4", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/langchain@0.0.19" }