CRITICAL Patch AvailableCVE-2023-36258

Arbitrary Code Execution in LangChain via Deserialization of Malicious API Responses

Discovered 15 April 2025 2 views

Overview

A critical remote code execution (RCE) vulnerability was discovered in the LangChain framework, specifically affecting agent chains that utilize tools capable of executing Python code, such as PALChain or those using PythonREPLTool. The vulnerability, tracked as a variant of CVE-2023-36258, stems from insufficient validation of outputs from external sources, including LLMs or the APIs they query. An attacker can exploit this by poisoning a data source that the LangChain agent interacts with, such as a web page, a database, or an API endpoint. When the agent processes this tainted data, the connected LLM can be manipulated into generating a malicious Python code snippet as part of its response. For instance, an API call might return a JSON object with a string value containing a serialized Python command. If the agent's tool chain directly uses `exec()` or a similar unsafe function to evaluate the LLM's output, the attacker's payload is executed with the permissions of the LangChain application process. This could lead to complete system compromise, data theft, or lateral movement within the network. The discovery highlighted the inherent risks of granting LLM-powered agents direct access to code execution tools without robust sandboxing and output sanitization, emphasizing that the LLM's output should be treated as untrusted user input.

Affected Systems

LangChain < 0.1.18

Testing Guide

1. **Setup a Test Agent:** Create a LangChain agent using an older, vulnerable version (e.g., `0.1.15`) that utilizes a tool capable of code execution. 2. **Mock an API:** Create a mock API endpoint that the agent is configured to query. 3. **Craft Malicious Response:** Configure the mock API to return a response that, when processed by the LLM, will result in it suggesting a Python command (e.g., `__import__('os').system('touch /tmp/pwned')`). 4. **Trigger the Agent:** Run the agent and have it query the mock API. 5. **Verify Execution:** Check if the file `/tmp/pwned` was created on the host system. If it was, the system is vulnerable.

Mitigation Steps

1. **Upgrade LangChain:** Immediately update to version `0.1.18` or later, which includes patches for unsafe deserialization and tool use. 2. **Avoid Unsafe Tools:** Refrain from using tools that directly execute code, such as `PythonREPLTool` or `PALChain`, especially when processing untrusted input. Prefer tools that make structured API calls. 3. **Implement Sandboxing:** If code execution is necessary, run the agent and its tools within a heavily restricted sandbox environment (e.g., a Docker container with limited permissions and no network access). 4. **Sanitize LLM Output:** Treat all output from LLMs as untrusted. Implement strict parsing and validation before using the output in any downstream function, especially shell or code execution.

Patch Details

Patched in LangChain version 0.1.18 and all subsequent releases.

Sources

← Back to vulnerabilities