9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-44467

GHSA ID

GHSA-gjjr-63x4-v8cq

EPSS Score

0.30148%

CWE

Published

10/9/2023

Updated

2/24/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-44467

CVE-2023-44467: langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method

langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arbitrary code via import in Python code, which is not prohibited by pal_chain/base.py.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-44467

CVE-2023-44467:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-44467

GHSA ID

GHSA-gjjr-63x4-v8cq

EPSS Score

0.30148%

CWE

Published

10/9/2023

Updated

2/24/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
langchain-experimental	pip	<= 0.0.14

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from the incomplete blocklist in COMMAND_EXECUTION_FUNCTIONS, which failed to include 'import'. This oversight allowed attackers to use 'import' in Python code executed via PALChain, bypassing the CVE-2023-36258 fix. The GitHub commit explicitly adds 'import' to this list to mitigate the issue, confirming its role in the vulnerability. The list is central to the validation logic in pal_chain/base.py, and its prior incompleteness directly enabled arbitrary code execution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-44467: langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method

CVE-2023-44467:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

9.8

9.8

CVE-2023-44467: langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI