CVE-2024-58340

Name of the Vulnerable Software and Affected Versions LangChain versions up to and including 0.3.1

Description LangChain versions up to and including 0.3.1 have a regular expression denial-of-service (ReDoS) issue in the MRKLOutputParser.parse() method, located in libs/langchain/langchain/agents/mrkl/output parser.py. The parser uses a regular expression that is susceptible to backtracking, which can be triggered by a crafted payload. An attacker who can control or influence the parsed text, such as through prompt injection, can cause excessive CPU usage, leading to parsing delays and a denial-of-service condition. The vulnerable method is parse().

Recommendations Update to a version of LangChain greater than 0.3.1.