CRITICAL Patch AvailableCVE-2023-29374

Remote Code Execution in LangChain ReAct Agents via Manipulated LLM Output

Discovered 15 February 2025 5 views

Overview

A critical vulnerability was identified in older versions of the LangChain framework, specifically affecting agents utilizing tools with code execution capabilities like a Python REPL (Read-Eval-Print Loop). The vulnerability, rooted in an implicit trust of the Large Language Model's (LLM) generated output, allows for remote code execution (RCE). An attacker can craft a prompt, either directly or indirectly (e.g., by embedding it in a document or webpage the agent is tasked to process), which instructs the LLM to generate malicious Python code. When the LangChain agent receives this code from the LLM, it passes it directly to the Python REPL tool for execution. This results in the malicious code running with the full permissions of the application process on the host system. The impact is severe, potentially leading to server compromise, data theft, and lateral movement within the network. This discovery highlighted the fundamental security challenge in agentic AI systems: safely managing the interaction between non-deterministic LLMs and powerful, deterministic tools. It emphasized the need for robust sandboxing, output validation, and strict permission models for any tool an AI agent can access.

Affected Systems

LangChain < 0.0.171

Testing Guide

1. **Check LangChain Version**: In your Python environment, run `pip show langchain` and check if the version is below `0.0.171`. 2. **Create a Test Agent**: Set up a simple agent with access to a Python REPL tool (e.g., `PythonAstREPLTool`). 3. **Craft a Malicious Prompt**: Feed the agent a prompt designed to trigger code execution, such as: `"Write a python script to list all files in the current directory and then execute it."` 4. **Observe Output**: If the agent executes the `os.listdir('.')` command or similar and returns the file list, your system is vulnerable. An attacker could replace this with a more malicious command.

Mitigation Steps

1. **Upgrade LangChain**: Update to version `0.0.171` or later, which includes patches to better handle and sanitize LLM outputs before execution. 2. **Use Sandboxed Environments**: Run agent tools, especially code interpreters, in a sandboxed environment (e.g., Docker container, gVisor) with restricted network access and file system permissions. 3. **Implement Strict Tool Permissions**: Explicitly define and limit the capabilities of tools available to the agent. Avoid using general-purpose tools like a full Python REPL if a more restricted tool would suffice. 4. **Human-in-the-Loop Approval**: For critical operations, require human approval of the code or command generated by the LLM before it is executed by the tool.

Patch Details

Patched in LangChain version 0.0.171 and all subsequent releases.

Sources

← Back to vulnerabilities