CVE-2023-36095
Use of a System Element with Insecure Security Configuration in langchain — CRITICAL (9.8)
Executive Summary
CVE-2023-36095 is a medium severity vulnerability affecting aibom. It is classified as CWE-1357. Ensure your systems and dependencies are patched immediately to mitigate exposure risks.
Precogs AI Insight
"Precogs AI scans model weights and configurations to detect insecure serialization (e.g. PyTorch pickle structures) and prompt escapes, reinforcing the AIBOM validation pipeline."
What is this vulnerability?
CVE-2023-36095 is categorized as a medium Use of a System Element with Insecure Security Configuration flaw with a CVSS base score of 6.0. Based on our vulnerability intelligence, this issue occurs when the application fails to securely handle untrusted data boundaries.
A security exposure has been identified in the vendor product component. Specifying as langchain — critical (9.8), this vulnerability enables remote or local actors to exploit bounds or logical checks.
This architectural defect enables adversaries to bypass intended security controls, directly manipulating the application's execution state or data layer. Immediate strategic intervention is required.
Risk Assessment
| Metric | Value |
|---|---|
| CVSS Base Score | 6.0 (MEDIUM) |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Published | November 11, 2022 |
| Last Modified | November 11, 2022 |
| Related CWEs | CWE-1357 |
Impact on Systems
✅ Remote Code Execution: Untrusted serialization loading triggers shellcode execution in inference workers.
✅ Model Poisoning: Modified weights trigger biased or malicious outputs under target conditions.
✅ Data Exfiltration: Manipulated chat or pipeline contexts leak system prompts or fine-tuning datasets.
How to Fix and Mitigate CVE-2023-36095
- Migrate to Safetensors: Replace pickle-based weights format (.pt, .pkl) with the safe tensor storage format.
- Disable Remote Code Execution: Lock down the loader configuration using
trust_remote_code=False. - Integrate AIBOM Logs: Implement cryptographic verification signatures on all imported models and pipelines.
Defending with Precogs AI
Precogs AI scans model weights and configurations to detect insecure serialization (e.g. PyTorch pickle structures) and prompt escapes, reinforcing the AIBOM validation pipeline.
Use Precogs to continuously scan your codebase, binaries, APIs, and infrastructure for this vulnerability class and related attack patterns. Our AI-powered detection engine combines static analysis with threat intelligence to identify exploitable weaknesses before attackers do.
Vulnerability Code Signature
Attack Data Flow
| Stage | Detail |
|---|---|
| Source | Public model repository (Hugging Face / Model Hub) |
| Vector | Direct loading of unverified pickle model weights |
| Sink | torch.load() execution sink |
| Impact | Arbitrary remote code execution (RCE) on the inference server |
Vulnerable Code Pattern
# ❌ VULNERABLE: Loading arbitrary PyTorch weights using pickle
import torch
def load_model_weights(filepath):
# PyTorch uses pickle internally by default, leading to arbitrary code execution
return torch.load(filepath)
Secure Code Pattern
# ✅ SECURE: Using safetensors for weights loading
from safetensors.torch import load_file
def load_model_weights_safe(filepath):
# safetensors prevents code execution by strictly parsing tensor arrays
return load_file(filepath)
How Precogs Detects This
Precogs AI scans model loading routines to detect torch.load and other unsafe deserialization endpoints, prompting migration to safetensors.