Yardenporat353

**Name of the Vulnerable Software and Affected Versions** langchain versions prior to 0.3.27 **Description** LangChain contains runtime code paths that deserialize inputs, outputs, or other application-controlled payloads using overly broad object allowlists, specifically calling `load()` with `allowed objects="all"`. This allows attacker-supplied serialized constructor dictionaries to instantiate trusted classes with untrusted arguments. This issue can lead to Server-Side Request Forgery (SSRF), enabling access to internal services, cloud metadata endpoints, or sensitive network resources, which may result in credential theft and persistent supply-chain compromise. Applications are exposed if they accept untrusted structured input (such as JSON) without validation, preserve attacker-controlled nested dictionaries or lists in run data, and use affected API paths. Known affected surfaces include the `RunnableWithMessageHistory` class, the `astream log()` function, and the `astream events(version="v1")` function. Additionally, a secret-marker validation bypass in the ` is lc secret` function allows constructor dictionaries to avoid escaping during `dumps()` to `loads()` round-trips. **Recommendations** Update langchain to version 0.3.27. Migrate away from the deprecated `RunnableWithMessageHistory` class, `astream log()` function, and `astream events(version="v1")` function in favor of newer streaming and memory patterns, such as the `stream` API. Use `load()` and `loads()` only with trusted manifests or objects from trusted storage; do not pass user-controlled data to these functions. When using `load()` or `loads()`, provide a narrow `allowed objects` value instead of relying on broad defaults or `allowed objects="all"`.

**Name of the Vulnerable Software and Affected Versions** LangGraph versions 1.0.9 and earlier **Description** LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker gains privileged write access to the checkpoint data store (e.g., after a database compromise), they could supply a crafted payload that triggers unsafe object reconstruction when the checkpoint is loaded. This is considered a post-exploitation issue, potentially allowing an attacker to escalate from write access to the checkpoint store to code execution within the application runtime, potentially exposing runtime secrets or providing access to other systems. Exploitation requires the ability to write attacker-controlled checkpoint bytes at rest. There is no evidence of exploitation in the wild. The issue can lead to arbitrary code execution or other unsafe side effects during checkpoint deserialization. The vulnerability requires the attacker to be able to modify persisted checkpoint bytes or compromise a trusted component that writes them. **Recommendations** Enable strict mode by setting the environment variable `LANGGRAPH STRICT MSGPACK` to a truthy value (e.g., '1', 'true', 'yes'). Configure the `allowed msgpack modules` setting to `None` for strict mode, or to a list of explicitly allowed modules and class names. Restrict write access to checkpoint stores and rotate credentials if a compromise is suspected. Avoid providing custom msgpack deserialization hooks that reconstruct arbitrary types unless checkpoint data is fully trusted.

**Name of the Vulnerable Software and Affected Versions** @langchain/langgraph-checkpoint-redis versions prior to 1.0.2 **Description** A query injection issue exists in the RedisSaver and ShallowRedisSaver classes of the @langchain/langgraph-checkpoint-redis package. These classes build RediSearch queries by directly incorporating user-supplied filter keys and values without sufficient sanitization. RediSearch utilizes special characters that can alter query behavior. When user-controlled data includes these characters, the query logic can be manipulated, potentially bypassing intended access controls. The vulnerability occurs due to the direct interpolation of user-provided filter keys and values into RediSearch queries without proper escaping. **Recommendations** Update to version 1.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Pillow versions 10.3.0 through 12.1.0 **Description** Pillow is a Python imaging library. An out-of-bounds write issue can occur when loading a specially crafted PSD image. This flaw exists within Pillow’s Photoshop Document (PSD) handler. The issue affects Pillow versions 10.3.0 and later. **Recommendations** Update to Pillow version 12.1.1. As a workaround, use the `formats` parameter in `Image.open()` to prevent PSD images from being opened.

Name of the Vulnerable Software and Affected Versions: LangChain versions prior to 0.3.81 and 1.2.5 Description: A serialization injection vulnerability exists in LangChain's `dumps()` and `dumpd()` functions. These functions do not properly escape dictionaries containing 'lc' keys when serializing data. The 'lc' key is used internally by LangChain to identify serialized objects. When user-controlled data includes this key structure, it is incorrectly treated as a legitimate LangChain object during deserialization instead of plain user data. This allows attackers to potentially extract sensitive information, such as environment variables, and potentially execute arbitrary code. The vulnerability is exploitable through prompt injection via LLM responses and can affect various components, including streaming operations and cached data. Recommendations: Upgrade to LangChain version 0.3.81 or 1.2.5 or later. If upgrading is not immediately possible, restrict deserialization to a predefined allowlist of trusted objects and disable automatic loading of secrets from environment variables. Treat all LLM outputs as untrusted data, especially when serialization or deserialization is involved.

**Name of the Vulnerable Software and Affected Versions** LangChain versions prior to 0.3.37 @langchain/core versions prior to 0.3.80 LangChain versions prior to 1.2.3 @langchain/core versions prior to 1.1.8 **Description** LangChain is a framework designed for building applications powered by Large Language Models (LLMs). A serialization issue exists in the `toJSON()` method of LangChain JS, impacting versions prior to 0.3.37 and 1.2.3 for LangChain, and prior to 0.3.80 and 1.1.8 for @langchain/core. This issue arises because the method does not properly escape objects containing 'lc' keys when serializing data using `JSON.stringify()`. The 'lc' key is used internally by LangChain to identify serialized objects. If user-supplied data includes this key structure, it may be incorrectly interpreted as a legitimate LangChain object during deserialization instead of being treated as plain user data. This could potentially lead to unauthorized access or manipulation of data. **Recommendations** Update to LangChain version 0.3.37 or later. Update to @langchain/core version 0.3.80 or later. Update to LangChain version 1.2.3 or later. Update to @langchain/core version 1.1.8 or later.