LangChain Unsafe Deserialization Vulnerability Allowing Injection of Attacker-Controlled Objects

A vulnerability exists in LangChain versions prior to 0.3.85 and 1.3.3, where older runtime code paths deserialize application-controlled payloads using overly broad object allowlists. This issue allows any trusted LangChain-serializable object to be revived, potentially leading to the injection of untrusted constructor arguments into trusted runtime paths. The vulnerability arises when applications accept untrusted structured input, such as JSON, without proper validation, and when attacker-controlled data is preserved in LangChain run inputs or outputs. Affected API paths include 'RunnableWithMessageHistory', 'astream_log()', and 'astream_events(version="v1")'.

Impact

Exploitation of this vulnerability allows for the injection of LangChain serialized constructor payloads into trusted runtime paths, leading to the instantiation of classes with untrusted arguments. This could result in persistent chat-history poisoning, prompt injection, manipulation of trusted LangChain objects, possible credential disclosure, and impacts in applications that load and execute untrusted serialized LangChain objects.

Remediation

Users should migrate to LangChain versions 0.3.85 or 1.3.3 and update their applications to use the currently recommended APIs, avoiding the deprecated surfaces that are no longer recommended for new applications.