PT-2026-53461 · Pypi · Langchain-Core
Publicado
2026-06-29
·
Atualizado
2026-06-29
CVSS v3.1
9.3
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N |
Summary
A serialization injection vulnerability exists in LangChain's
dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.Attack surface
The core vulnerability was in
dumps() and dumpd(): these functions failed to escape user-controlled dictionaries containing 'lc' keys. When this unescaped data was later deserialized via load() or loads(), the injected structures were treated as legitimate LangChain objects rather than plain user data.This escaping bug enabled several attack vectors:
- Injection via user data: Malicious LangChain object structures could be injected through user-controlled fields like
metadata,additional kwargs, orresponse metadata - Class instantiation within trusted namespaces: Injected manifests could instantiate any
Serializablesubclass, but only within the pre-approved trusted namespaces (langchain core,langchain,langchain community). This includes classes with side effects ininit(network calls, file operations, etc.). Note that namespace validation was already enforced before this patch, so arbitrary classes outside these trusted namespaces could not be instantiated.
Security hardening
This patch fixes the escaping bug in
dumps() and dumpd() and introduces new restrictive defaults in load() and loads(): allowlist enforcement via allowed objects="core" (restricted to [serialization mappings](https://github.com/langchain-ai/langchain/blob/master/libs/core/langchain core/load/mapping.py)), secrets from env changed from True to False, and default Jinja2 template blocking via init validator. These are breaking changes for some use cases.Who is affected?
Applications are vulnerable if they:
- Use
astream events(version="v1")— The v1 implementation internally uses vulnerable serialization. Note:astream events(version="v2")is not vulnerable. - Use
Runnable.astream log()— This method internally uses vulnerable serialization for streaming outputs. - Call
dumps()ordumpd()on untrusted data, then deserialize withload()orloads()— Trusting your own serialization output makes you vulnerable if user-controlled data (e.g., from LLM responses, metadata fields, or user inputs) contains'lc'key structures. - Deserialize untrusted data with
load()orloads()— Directly deserializing untrusted data that may contain injected'lc'structures. - Use
RunnableWithMessageHistory— Internal serialization in message history handling. - Use
InMemoryVectorStore.load()to deserialize untrusted documents. - Load untrusted generations from cache using
langchain-communitycaches. - Load untrusted manifests from the LangChain Hub via
hub.pull. - Use
StringRunEvaluatorChainon untrusted runs. - Use
create lc storeorcreate kv docstorewith untrusted documents. - Use
MultiVectorRetrieverwith byte stores containing untrusted documents. - Use
LangSmithRunChatLoaderwith runs containing untrusted messages.
The most common attack vector is through LLM response fields like
additional kwargs or response metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.Impact
Attackers who control serialized data can extract environment variable secrets by injecting
{"lc": 1, "type": "secret", "id": ["ENV VAR"]} to load environment variables during deserialization (when secrets from env=True, which was the old default). They can also instantiate classes with controlled parameters by injecting constructor structures to instantiate any class within trusted namespaces with attacker-controlled parameters, potentially triggering side effects such as network calls or file operations.Key severity factors:
- Affects the serialization path - applications trusting their own serialization output are vulnerable
- Enables secret extraction when combined with
secrets from env=True(the old default) - LLM responses in
additional kwargscan be controlled via prompt injection
Exploit example
python
from langchain core.load import dumps, load
import os
# Attacker injects secret structure into user-controlled data
attacker dict = {
"user data": {
"lc": 1,
"type": "secret",
"id": ["OPENAI API KEY"]
}
}
serialized = dumps(attacker dict) # Bug: does NOT escape the 'lc' key
os.environ["OPENAI API KEY"] = "sk-secret-key-12345"
deserialized = load(serialized, secrets from env=True)
print(deserialized["user data"]) # "sk-secret-key-12345" - SECRET LEAKED!
Security hardening changes (breaking changes)
This patch introduces three breaking changes to
load() and loads():- New
allowed objectsparameter (defaults to'core'): Enforces allowlist of classes that can be deserialized. The'all'option corresponds to the list of objects [specified inmappings.py](https://github.com/langchain-ai/langchain/blob/master/libs/core/langchain core/load/mapping.py) while the'core'option limits to objects withinlangchain core. We recommend that users explicitly specify which objects they want to allow for serialization/deserialization. secrets from envdefault changed fromTruetoFalse: Disables automatic secret loading from environment- New
init validatorparameter (defaults todefault init validator): Blocks Jinja2 templates by default
Migration guide
No changes needed for most users
If you're deserializing standard LangChain types (messages, documents, prompts, trusted partner integrations like
ChatOpenAI, ChatAnthropic, etc.), your code will work without changes:python
from langchain core.load import load
# Uses default allowlist from serialization mappings
obj = load(serialized data)
For custom classes
If you're deserializing custom classes not in the serialization mappings, add them to the allowlist:
python
from langchain core.load import load
from my package import MyCustomClass
# Specify the classes you need
obj = load(serialized data, allowed objects=[MyCustomClass])For Jinja2 templates
Jinja2 templates are now blocked by default because they can execute arbitrary code. If you need Jinja2 templates, pass
init validator=None:python
from langchain core.load import load
from langchain core.prompts import PromptTemplate
obj = load(
serialized data,
allowed objects=[PromptTemplate],
init validator=None
)
[!WARNING] Only disableinit validatorif you trust the serialized data. Jinja2 templates can execute arbitrary Python code.
For secrets from environment
secrets from env now defaults to False. If you need to load secrets from environment variables:python
from langchain core.load import load
obj = load(serialized data, secrets from env=True)Credits
- Dumps bug was reported by @yardenporat
- Changes for security hardening due to findings from @0xn3va and @VladimirEliTokarev
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Langchain-Core