CRITICAL Patch AvailableCVE-2023-44468

Remote Code Execution in LangChain via BashCallbackHandler Shell Injection

Discovered 12 April 2025 6 views

Overview

A critical vulnerability was discovered in the LangChain framework related to its experimental `BashCallbackHandler`. This handler was designed to log the intermediate steps of an LLM agent's execution into a specified file. The vulnerability stemmed from the fact that the handler constructed a shell command using an f-string to write content, and then executed it using `subprocess.call` with `shell=True`. The content being written, which could be controlled by the output of an LLM, was not properly sanitized or escaped. An attacker could craft an LLM prompt that would cause the model to output a malicious string containing shell metacharacters. For example, an output like `'; rm -rf /; #` would be concatenated into the shell command. When `subprocess.call` executed this string, the attacker's command (`rm -rf /`) would run with the same permissions as the Python process running the LangChain application. This allowed for trivial remote code execution (RCE) in any application using this specific callback handler, posing a severe risk to the underlying server and its data. The discovery highlighted the dangers of insecurely combining LLM outputs with powerful system tools like shell commands, a common pattern in early AI agent development.

Affected Systems

langchain < 0.0.315

Testing Guide

1. Install a vulnerable version of LangChain: `pip install langchain==0.0.314`. 2. Create a Python script that configures an LLM agent to use the `BashCallbackHandler`. 3. Craft a prompt that is likely to make the LLM output a payload, such as 'Summarize the following text: `hello`; touch /tmp/pwned; #`'. 4. Run the script and check if the file `/tmp/pwned` was created on your system. If it exists, your application is vulnerable.

Mitigation Steps

1. **Upgrade LangChain:** Immediately update the `langchain` package to version `0.0.315` or later. 2. **Avoid `shell=True`:** When using `subprocess` or similar libraries, avoid the `shell=True` argument with any user-controllable or LLM-generated input. Pass command arguments as a list to prevent shell interpretation. 3. **Use Sanitization:** If dynamic shell command generation is unavoidable, use libraries like Python's `shlex.quote()` to properly escape all inputs before they are included in the command string. 4. **Principle of Least Privilege:** Run AI applications with the minimum necessary permissions to limit the impact of a potential RCE vulnerability.

Patch Details

The vulnerability was patched in LangChain version 0.0.315 by removing the use of `shell=True` in the callback handler.

Sources

← Back to vulnerabilities