Arbitrary Code Execution in langchain-experimental due to Unsafe PythonAstREPLTool
Overview
A critical vulnerability was found in the `langchain-experimental` package, specifically within tools designed for Python code generation and execution, such as `PythonAstREPLTool`. This tool is intended to allow an LLM-powered agent to write and execute Python code to solve problems. However, it lacked sufficient sandboxing and input sanitization. An attacker could provide a crafted prompt to the agent, which would cause the LLM to generate malicious Python code. The `PythonAstREPLTool`, upon receiving this code, would execute it directly within the context of the Python process running the LangChain application. This allows for trivial remote code execution. For example, a prompt could instruct the agent to 'calculate something' but trick it into generating code that imports the `os` module and executes a shell command to download a reverse shell or exfiltrate environment variables. Since these experimental agents are often run in server environments with access to production data and credentials, this vulnerability poses a significant risk of full system compromise. The issue underscores the extreme danger of granting LLMs direct access to code interpreters without robust, multi-layered security controls.
Affected Systems
Testing Guide
1. **Check Package Version**: Run `pip show langchain-experimental` to check the installed version. If it's below `0.0.50`, you may be vulnerable. 2. **Setup a Test Agent (Safely)**: In an isolated, non-production environment, create a simple LangChain agent that uses the `PythonAstREPLTool` from an affected version. 3. **Craft a Malicious Prompt**: Provide a prompt to the agent like: "Use the Python REPL to print the current working directory and list all environment variables." 4. **Observe Execution**: If the agent successfully executes the code and returns the host's directory and environment variables, the vulnerability is confirmed. Do not test with more destructive commands like deleting files.
Mitigation Steps
1. **Update the Package**: Immediately upgrade to `langchain-experimental` version `0.0.50` or newer, where more safety checks and warnings have been added. 2. **Avoid Experimental Tools in Production**: Do not use tools from `langchain-experimental` in production environments. These tools are explicitly marked as not production-ready and carry inherent risks. 3. **Use Sandboxed Environments**: If code execution is necessary, use a securely sandboxed environment (e.g., a dedicated Docker container with strict resource and network limits) to execute the code, completely isolating it from the host system. 4. **Implement Strict Input Validation**: Before passing any user-provided input to an agent with code execution capabilities, rigorously validate and sanitize the input to prevent malicious prompt crafting.
Patch Details
The vulnerability is addressed by adding stronger warnings and recommending safer alternatives in `langchain-experimental` v0.0.50 and later versions.