Main Vulnerability Database Vulnerabilities #VU130244

Deserialization of Untrusted Data in LangChain - #VU130244

Published: May 6, 2026

Vulnerability identifier: #VU130244

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
LangChain

Software vendor:
LangChain

Description

The vulnerability allows a remote attacker to disclose sensitive information and manipulate application behavior.

The vulnerability exists due to unsafe deserialization in the load() deserialization logic when processing untrusted structured input that is later deserialized from LangChain run data. A remote attacker can submit crafted LangChain serialized constructor dictionaries to disclose sensitive information and manipulate application behavior.

Applications are exposed only if untrusted structured input is preserved in run inputs or outputs and later reaches affected runtime surfaces such as RunnableWithMessageHistory, astream_log(), or astream_events(version="v1").

Remediation

Install security update from vendor's website.

External links

https://github.com/langchain-ai/langchain/security/advisories/GHSA-pjwx-r37v-7724

Deserialization of Untrusted Data in LangChain - #VU130244

Description

Remediation

External links

Please verify you're human