Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for langchain_core by langchain

    CVE-2026-40087 (GCVE-0-2026-40087)

    Vulnerability from nvd – Published: 2026-04-09 19:34 – Updated: 2026-04-14 14:48
    VLAI
    Title
    LangChain has incomplete f-string validation in prompt templates
    Summary
    LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
    Assigner
    Impacted products
    Vendor Product Version
    langchain-ai langchain Affected: < 0.3.83
    Affected: >= 1.0.0a1, < 1.2.28
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40087",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T14:47:52.978194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T14:48:03.160Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "langchain",
              "vendor": "langchain-ai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.3.83"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.0.0a1, \u003c 1.2.28"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain\u0027s f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1336",
                  "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T19:34:55.198Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/pull/36612",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/pull/36612"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/pull/36613",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/pull/36613"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"
            }
          ],
          "source": {
            "advisory": "GHSA-926x-3r5x-gfhw",
            "discovery": "UNKNOWN"
          },
          "title": "LangChain has incomplete f-string validation in prompt templates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40087",
        "datePublished": "2026-04-09T19:34:55.198Z",
        "dateReserved": "2026-04-09T00:39:12.206Z",
        "dateUpdated": "2026-04-14T14:48:03.160Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34070 (GCVE-0-2026-34070)

    Vulnerability from nvd – Published: 2026-03-31 02:01 – Updated: 2026-06-30 12:09
    VLAI
    Title
    LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
    Summary
    LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34070",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T15:17:33.597003Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-31T18:04:59.283Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_lightspeed"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Lightspeed",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-03-31T02:01:49.320Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in LangChain. Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized configuration dictionaries without validation for directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:15.814Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-34070"
              },
              {
                "name": "RHBZ#2453287",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453287"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34070.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24766"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:24766: Red Hat Ansible Automation Platform 2.5"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-03-31T03:02:19.523Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-03-31T02:01:49.320Z",
                "value": "Made public."
              }
            ],
            "title": "langchain: path traversal in legacy load_prompt functions in langchain-core",
            "workarounds": [
              {
                "lang": "en",
                "value": "As described in the statement section, the vulnerable methods are legacy APIs and their use should be avoided. To mitigate this issue, the dumpd, dumps, load and loads methods from langchain_core.load should be used, as they supersede the legacy API and provide a more secure serialization model."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "langchain",
              "vendor": "langchain-ai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.22"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-31T02:01:49.320Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22"
            }
          ],
          "source": {
            "advisory": "GHSA-qh6h-p6c9-ff54",
            "discovery": "UNKNOWN"
          },
          "title": "LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34070",
        "datePublished": "2026-03-31T02:01:49.320Z",
        "dateReserved": "2026-03-25T16:21:40.867Z",
        "dateUpdated": "2026-06-30T12:09:15.814Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-26013 (GCVE-0-2026-26013)

    Vulnerability from nvd – Published: 2026-02-10 21:51 – Updated: 2026-02-11 21:26
    VLAI
    Title
    LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
    Summary
    LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    langchain-ai langchain Affected: < 1.2.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-26013",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-11T21:26:20.888102Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-11T21:26:34.029Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "langchain",
              "vendor": "langchain-ai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T21:51:07.741Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"
            }
          ],
          "source": {
            "advisory": "GHSA-2g6r-c272-w58r",
            "discovery": "UNKNOWN"
          },
          "title": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-26013",
        "datePublished": "2026-02-10T21:51:07.741Z",
        "dateReserved": "2026-02-09T21:36:29.554Z",
        "dateUpdated": "2026-02-11T21:26:34.029Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-68664 (GCVE-0-2025-68664)

    Vulnerability from nvd – Published: 2025-12-23 22:47 – Updated: 2025-12-24 14:40
    VLAI
    Title
    LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
    Summary
    LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    langchain-ai langchain Affected: >= 1.0.0, < 1.2.5
    Affected: < 0.3.81
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-68664",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-24T14:40:55.506059Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-24T14:40:58.427Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "langchain",
              "vendor": "langchain-ai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.0.0, \u003c 1.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 0.3.81"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain\u0027s dumps() and dumpd() functions. The functions do not escape dictionaries with \u0027lc\u0027 keys when serializing free-form dictionaries. The \u0027lc\u0027 key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-23T22:47:44.084Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/pull/34455",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/pull/34455"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/pull/34458",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/pull/34458"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5"
            }
          ],
          "source": {
            "advisory": "GHSA-c67j-w6g6-q2cm",
            "discovery": "UNKNOWN"
          },
          "title": "LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-68664",
        "datePublished": "2025-12-23T22:47:44.084Z",
        "dateReserved": "2025-12-22T23:28:02.917Z",
        "dateUpdated": "2025-12-24T14:40:58.427Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-40087 (GCVE-0-2026-40087)

    Vulnerability from cvelistv5 – Published: 2026-04-09 19:34 – Updated: 2026-04-14 14:48
    VLAI
    Title
    LangChain has incomplete f-string validation in prompt templates
    Summary
    LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
    Assigner
    Impacted products
    Vendor Product Version
    langchain-ai langchain Affected: < 0.3.83
    Affected: >= 1.0.0a1, < 1.2.28
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-40087",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-14T14:47:52.978194Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-14T14:48:03.160Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "langchain",
              "vendor": "langchain-ai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.3.83"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 1.0.0a1, \u003c 1.2.28"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain\u0027s f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as PromptTemplate. In particular, DictPromptTemplate and ImagePromptTemplate could accept templates containing attribute access or indexing expressions and subsequently evaluate those expressions during formatting. Second, f-string validation based on parsed top-level field names did not reject nested replacement fields inside format specifiers. In this pattern, the nested replacement field appears in the format specifier rather than in the top-level field name. As a result, earlier validation based on parsed field names did not reject the template even though Python formatting would still attempt to resolve the nested expression at runtime. This vulnerability is fixed in 0.3.84 and 1.2.28."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1336",
                  "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T19:34:55.198Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-926x-3r5x-gfhw"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/pull/36612",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/pull/36612"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/pull/36613",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/pull/36613"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/6bab0ba3c12328008ddca3e0d54ff5a6151cd27b"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/af2ed47c6f008cdd551f3c0d87db3774c8dfe258"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.84"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.28"
            }
          ],
          "source": {
            "advisory": "GHSA-926x-3r5x-gfhw",
            "discovery": "UNKNOWN"
          },
          "title": "LangChain has incomplete f-string validation in prompt templates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-40087",
        "datePublished": "2026-04-09T19:34:55.198Z",
        "dateReserved": "2026-04-09T00:39:12.206Z",
        "dateUpdated": "2026-04-14T14:48:03.160Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34070 (GCVE-0-2026-34070)

    Vulnerability from cvelistv5 – Published: 2026-03-31 02:01 – Updated: 2026-06-30 12:09
    VLAI
    Title
    LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
    Summary
    LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34070",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-31T15:17:33.597003Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-31T18:04:59.283Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2.5::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2.5",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_lightspeed"
                ],
                "defaultStatus": "affected",
                "product": "OpenShift Lightspeed",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:ansible_automation_platform:2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Ansible Automation Platform 2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift_ai"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift AI (RHOAI)",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-03-31T02:01:49.320Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in LangChain. Multiple functions in `langchain_core.prompts.loading` read files from paths embedded in deserialized configuration dictionaries without validation for directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to `load_prompt()` or `load_prompt_from_config()`, an attacker can read arbitrary files on the host filesystem."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-22",
                    "description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:15.814Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-34070"
              },
              {
                "name": "RHBZ#2453287",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453287"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34070.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:24766"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:24766: Red Hat Ansible Automation Platform 2.5"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-03-31T03:02:19.523Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-03-31T02:01:49.320Z",
                "value": "Made public."
              }
            ],
            "title": "langchain: path traversal in legacy load_prompt functions in langchain-core",
            "workarounds": [
              {
                "lang": "en",
                "value": "As described in the statement section, the vulnerable methods are legacy APIs and their use should be avoided. To mitigate this issue, the dumpd, dumps, load and loads methods from langchain_core.load should be used, as they supersede the legacy API and provide a more secure serialization model."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "langchain",
              "vendor": "langchain-ai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.22"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-31T02:01:49.320Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-qh6h-p6c9-ff54"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/27add913474e01e33bededf4096151130ba0d47c"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core==1.2.22"
            }
          ],
          "source": {
            "advisory": "GHSA-qh6h-p6c9-ff54",
            "discovery": "UNKNOWN"
          },
          "title": "LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34070",
        "datePublished": "2026-03-31T02:01:49.320Z",
        "dateReserved": "2026-03-25T16:21:40.867Z",
        "dateUpdated": "2026-06-30T12:09:15.814Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-26013 (GCVE-0-2026-26013)

    Vulnerability from cvelistv5 – Published: 2026-02-10 21:51 – Updated: 2026-02-11 21:26
    VLAI
    Title
    LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
    Summary
    LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    langchain-ai langchain Affected: < 1.2.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-26013",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-11T21:26:20.888102Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-11T21:26:34.029Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "langchain",
              "vendor": "langchain-ai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.2.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-10T21:51:07.741Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-2g6r-c272-w58r"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/2b4b1dc29a833d4053deba4c2b77a3848c834565"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.11"
            }
          ],
          "source": {
            "advisory": "GHSA-2g6r-c272-w58r",
            "discovery": "UNKNOWN"
          },
          "title": "LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-26013",
        "datePublished": "2026-02-10T21:51:07.741Z",
        "dateReserved": "2026-02-09T21:36:29.554Z",
        "dateUpdated": "2026-02-11T21:26:34.029Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-68664 (GCVE-0-2025-68664)

    Vulnerability from cvelistv5 – Published: 2025-12-23 22:47 – Updated: 2025-12-24 14:40
    VLAI
    Title
    LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
    Summary
    LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Vendor Product Version
    langchain-ai langchain Affected: >= 1.0.0, < 1.2.5
    Affected: < 0.3.81
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-68664",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-24T14:40:55.506059Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-24T14:40:58.427Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "langchain",
              "vendor": "langchain-ai",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.0.0, \u003c 1.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003c 0.3.81"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain\u0027s dumps() and dumpd() functions. The functions do not escape dictionaries with \u0027lc\u0027 keys when serializing free-form dictionaries. The \u0027lc\u0027 key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-23T22:47:44.084Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/pull/34455",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/pull/34455"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/pull/34458",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/pull/34458"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81"
            },
            {
              "name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5"
            }
          ],
          "source": {
            "advisory": "GHSA-c67j-w6g6-q2cm",
            "discovery": "UNKNOWN"
          },
          "title": "LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-68664",
        "datePublished": "2025-12-23T22:47:44.084Z",
        "dateReserved": "2025-12-22T23:28:02.917Z",
        "dateUpdated": "2025-12-24T14:40:58.427Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }