Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data langchain-classic is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration. Note: This is only exploitable if the application pulls prompts by `owner/name` from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents. How to fix Deserialization of Untrusted Data? Upgrade `langchain-classic` to version 1.0.7 or higher.	[,1.0.7)

Deserialization of Untrusted Data

langchain-classic is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration.

Note:

This is only exploitable if the application pulls prompts by owner/name from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents.

How to fix Deserialization of Untrusted Data?

Upgrade langchain-classic to version 1.0.7 or higher.

[,1.0.7)

Go back to all versions of this package