LangChain vulnerable to code injection

[tekowalsky]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x ] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Run Dependabot against this repository.

Any log messages given by the failure

LangChain vulnerable to code injection In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec() method.

Expected/desired behavior

The desired behavior is not to see a dependency on a highly vulnerable python library version.

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?) Not OS dependent

Versions

"/notebooks/requirements.txt" lists the required version as "langchain==0.0.78" "/app/backend/requirements.txt" also lists the required version as "langchain==0.0.78" All versions previous to 0.0.131 are vulnerable. The current release of langchain is 0.0.135

Mention any other details that might be useful

https://nvd.nist.gov/vuln/detail/CVE-2023-29374 https://twitter.com/rharang/status/1641899743608463365 https://github.com/hwchase17/langchain/issues/814 https://github.com/hwchase17/langchain/pull/1119

---

Thanks! We'll be in touch soon.