Miggo Logo
Miggo Vulnerability Database
CVE-2023-44467

CVE-2023-44467: langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-44467
GHSA ID
GHSA-gjjr-63x4-v8cq
EPSS Score
0.30148%
CWE
-
Published
10/9/2023
Updated
2/24/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
langchain-experimentalpip<= 0.0.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability arises from the incomplete blocklist in COMMAND_EXECUTION_FUNCTIONS, which failed to include 'import'. This oversight allowed attackers to use 'import' in Python code executed via PALChain, bypassing the CVE-2023-36258 fix. The GitHub commit explicitly adds 'import' to this list to mitigate the issue, confirming its role in the vulnerability. The list is central to the validation logic in pal_chain/base.py, and its prior incompleteness directly enabled arbitrary code execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

l*n****in_*xp*rim*nt*l (*k* L*n****in *xp*rim*nt*l) in L*n****in ***or* *.*.*** *llows *n *tt**k*r to *yp*ss t** *V*-****-***** *ix *n* *x**ut* *r*itr*ry *o** vi* __import__ in Pyt*on *o**, w*i** is not pro*i*it** *y p*l_***in/**s*.py.

Reasoning

T** vuln*r**ility *ris*s *rom t** in*ompl*t* *lo*klist in *OMM*N*_*X**UTION_*UN*TIONS, w*i** **il** to in*lu** '__import__'. T*is ov*rsi**t *llow** *tt**k*rs to us* '__import__' in Pyt*on *o** *x**ut** vi* P*L***in, *yp*ssin* t** *V*-****-***** *ix.