{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/langchain-core/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["langchain-core"],"_cs_severities":["high"],"_cs_tags":["langchain","deserialization","vulnerability"],"_cs_type":"advisory","_cs_vendors":["LangChain"],"content_html":"\u003cp\u003eLangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call \u003ccode\u003eload()\u003c/code\u003e with \u003ccode\u003eallowed_objects='all'\u003c/code\u003e, allowing any trusted LangChain-serializable object to be revived with attacker-supplied constructor arguments. The vulnerability exists when applications accept untrusted structured input (e.g., JSON), fail to validate it before invoking LangChain, preserve attacker-controlled nested dictionaries/lists in LangChain run data, and use affected API paths like \u003ccode\u003eRunnableWithMessageHistory\u003c/code\u003e, \u003ccode\u003eastream_log()\u003c/code\u003e, or \u003ccode\u003eastream_events(version=\u0026quot;v1\u0026quot;)\u003c/code\u003e. A related secret-marker validation bypass in the serialization layer also contributes to the issue. This vulnerability affects \u003ccode\u003elangchain-core\u003c/code\u003e versions \u0026gt;= 1.0.0 and \u0026lt;= 1.3.2, as well as versions \u0026lt;= 0.3.84.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON payload containing a LangChain serialized constructor dictionary, e.g., for an \u003ccode\u003eAIMessage\u003c/code\u003e object with attacker-controlled content.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted JSON payload to a vulnerable application endpoint that accepts structured input.\u003c/li\u003e\n\u003cli\u003eThe application, without proper validation or canonicalization, processes the untrusted input and passes it to LangChain.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled nested dictionaries or lists are preserved in LangChain run inputs or outputs.\u003c/li\u003e\n\u003cli\u003eThe application invokes an affected API path, such as \u003ccode\u003eRunnableWithMessageHistory\u003c/code\u003e, \u003ccode\u003eastream_log()\u003c/code\u003e, or \u003ccode\u003eastream_events(version=\u0026quot;v1\u0026quot;)\u003c/code\u003e, which uses \u003ccode\u003eload()\u003c/code\u003e with a broad object allowlist.\u003c/li\u003e\n\u003cli\u003eLangChain deserializes the malicious payload, instantiating the attacker-specified object (e.g., \u003ccode\u003eAIMessage\u003c/code\u003e) with attacker-controlled constructor arguments.\u003c/li\u003e\n\u003cli\u003eThe instantiated object\u0026rsquo;s content is then used in subsequent application logic, potentially leading to prompt injection, chat history poisoning, or other malicious outcomes.\u003c/li\u003e\n\u003cli\u003eIf the instantiated object reads environment credentials, creates clients, or contacts attacker-controlled endpoints during initialization, credential disclosure or server-side request forgery may occur.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to inject LangChain serialized constructor payloads, potentially leading to persistent chat-history poisoning (if revived messages are stored by \u003ccode\u003eRunnableWithMessageHistory\u003c/code\u003e), prompt injection, or the instantiation of unexpected LangChain objects with attacker-controlled arguments. This may lead to credential disclosure, server-side request forgery, or further exploitation within the application. The number of affected applications is currently unknown, but the impact could be significant given the widespread use of LangChain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMigrate away from the deprecated APIs: \u003ccode\u003eRunnableWithMessageHistory\u003c/code\u003e, \u003ccode\u003eastream_log()\u003c/code\u003e, and \u003ccode\u003eastream_events(version=\u0026quot;v1\u0026quot;)\u003c/code\u003e to the newer, recommended streaming and memory patterns.\u003c/li\u003e\n\u003cli\u003eUpdate LangChain to a patched version that tightens deserialization behavior.\u003c/li\u003e\n\u003cli\u003eDo not pass user-controlled data to \u003ccode\u003eload()\u003c/code\u003e or \u003ccode\u003eloads()\u003c/code\u003e. Only use these functions with trusted LangChain manifests or serialized objects from trusted storage.\u003c/li\u003e\n\u003cli\u003eUse a narrow \u003ccode\u003eallowed_objects\u003c/code\u003e value appropriate for the specific trusted manifest being loaded, instead of relying on broad defaults or \u003ccode\u003eallowed_objects=\u0026quot;all\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious process creation involving deserialization of LangChain objects.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T18:00:00Z","date_published":"2024-01-04T18:00:00Z","id":"/briefs/2024-01-04-langchain-deserialization/","summary":"LangChain is vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists, potentially leading to persistent chat-history poisoning, prompt injection, credential disclosure, or server-side requests.","title":"LangChain Unsafe Deserialization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-04-langchain-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — Langchain-Core","version":"https://jsonfeed.org/version/1.1"}