Miggo Logo
Miggo Vulnerability Database
CVE-2023-39631

CVE-2023-39631: Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-39631
GHSA ID
GHSA-f73w-4m7g-ch9x
EPSS Score
0.77521%
CWE
CWE-94
Published
9/1/2023
Updated
2/20/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
langchainpip< 0.0.3080.0.308
numexprpip< 2.8.52.8.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from numexpr's evaluate function using eval() on unsanitized input. The commit 4b2d89c in numexpr added regex-based input validation (_forbidden_re) to block dangerous characters (;,:, __, [), confirming the pre-patch evaluate function was vulnerable. Langchain's LLMMathChain used this vulnerable evaluate implementation, allowing attackers to execute code via crafted math expressions. Both the low-level expression parser (stringToExpression) and the public evaluate API are implicated.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* in L*n***in-*i L*n****in v.*.*.*** *llows * r*mot* *tt**k*r to *x**ut* *r*itr*ry *o** vi* t** *v*lu*t* *un*tion in t** num*xpr li*r*ry. P*t***s: R*l**s** in v.*.*.***. num*xpr **p*n**n*y is option*l *or l*n****in.

Reasoning

T** vuln*r**ility st*ms *rom num*xpr's *v*lu*t* *un*tion usin* *v*l() on uns*nitiz** input. T** *ommit ******* in num*xpr ***** r***x-**s** input v*li**tion (_*or*i***n_r*) to *lo*k **n**rous ***r**t*rs (;,:, __, [), *on*irmin* t** pr*-p*t** *v*lu*t*