PyPI package
langchain-core
pkg:pypi/langchain-core
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44843 | hig | — | >= 1.0.0, < 1.3.3 | 1.3.3 | May 8, 2026 | LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call `load()` with `allowed_objects="all"`. This does not enable arbitrary Python object deserializ | |
| CVE-2026-40087 | Med | 5.3 | < 0.3.84 | 0.3.84 | Apr 9, 2026 | LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforc | |
| CVE-2026-34070 | Hig | 7.5 | < 1.2.22 | 1.2.22 | Mar 31, 2026 | LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path inj | |
| CVE-2026-26013 | — | < 1.2.11 | 1.2.11 | Feb 10, 2026 | LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to t | ||
| CVE-2025-68664 | — | >= 1.0.0, < 1.2.5 | 1.2.5 | Dec 23, 2025 | LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing fre | ||
| CVE-2025-65106 | Hig | — | >= 1.0.0, < 1.0.7 | 1.0.7 | Nov 21, 2025 | LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template s | |
| CVE-2024-10940 | Med | 5.3 | >= 0.1.17, < 0.1.53 | 0.1.53 | Mar 20, 2025 | A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extensio | |
| CVE-2024-1455 | — | < 0.1.35 | 0.1.35 | Mar 26, 2024 | A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory r | ||
| CVE-2024-28088 | — | < 0.1.30 | 0.1.30 | Mar 3, 2024 | LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome |
- affected >= 1.0.0, < 1.3.3fixed 1.3.3
LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call `load()` with `allowed_objects="all"`. This does not enable arbitrary Python object deserializ
- affected < 0.3.84fixed 0.3.84
LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforc
- affected < 1.2.22fixed 1.2.22
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path inj
- CVE-2026-26013Feb 10, 2026affected < 1.2.11fixed 1.2.11
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to t
- CVE-2025-68664Dec 23, 2025affected >= 1.0.0, < 1.2.5fixed 1.2.5
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing fre
- affected >= 1.0.0, < 1.0.7fixed 1.0.7
LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template s
- affected >= 0.1.17, < 0.1.53fixed 0.1.53
A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extensio
- CVE-2024-1455Mar 26, 2024affected < 0.1.35fixed 0.1.35
A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory r
- CVE-2024-28088Mar 3, 2024affected < 0.1.30fixed 0.1.30
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome