An issue in Harrison Chase langchain before version 0.0.236 allows a remote attacker to execute arbitrary code via the `from_math_prompt` and `from_colored_object_prompt` functions.

Affected Packages

PyPI langchain

Affected versions: 0 (fixed in 0.0.236)

Related CVEs

CVE-2023-38896

Key Information

GHSA ID

GHSA-92j5-3459-qgp4

Published

August 15, 2023 6:31 PM

Last Modified

September 27, 2024 9:36 PM

CVSS Score

9.0 /10

Primary Ecosystem

PyPI

Primary Package

langchain

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 30, 2025 6:36 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.