Lucene search
K

4 matches found

OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-373 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

Summary A serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data...

9.3CVSS7.8AI score0.1383EPSS
Exploits5References11
Snyk
Snyk
added 2025/12/23 11:54 p.m.5 views

Deserialization of Untrusted Data

Overview @langchain/core is a Core LangChain.js abstractions and schemas Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the toJSON function, which fails to properly escape user-controlled objects containing the lc key during serialization. An attacker ca...

9.3CVSS6.9AI score0.00746EPSS
Exploits0References2
Snyk
Snyk
added 2025/12/23 11:4 p.m.5 views

Deserialization of Untrusted Data

Overview langchain-core is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the dumps and dumpd functions when user-controlled data containing the lc key is serialized and later deserialized. This key...

9.3CVSS8.2AI score0.1383EPSS
Exploits5References2
Github Security Blog
Github Security Blog
added 2025/12/23 6:46 p.m.10 views

LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

Summary A serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data...

9.3CVSS7.8AI score0.1383EPSS
Exploits5References9Affected Software1
Rows per page
Query Builder