langchain 0.3.29

Direct Vulnerabilities

Known vulnerabilities in the langchain package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Symlink Attack langchain is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Symlink Attack via the file-search middleware and loaders that resolve filesystem paths and search patterns without confining the resolved path to the intended root directory. An attacker can access files outside the intended directory boundary by supplying crafted path values, glob patterns, or symlinks influenced by untrusted sources. How to fix Symlink Attack? Upgrade `langchain` to version 1.3.9 or higher.	[,1.3.9)
H Deserialization of Untrusted Data langchain is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration. Note: This is only exploitable if the application pulls prompts by `owner/name` from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents. How to fix Deserialization of Untrusted Data? Upgrade `langchain` to version 0.3.30 or higher.	[,0.3.30)

Vulnerability

Vulnerable Version

Symlink Attack

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Symlink Attack via the file-search middleware and loaders that resolve filesystem paths and search patterns without confining the resolved path to the intended root directory. An attacker can access files outside the intended directory boundary by supplying crafted path values, glob patterns, or symlinks influenced by untrusted sources.

How to fix Symlink Attack?

Upgrade langchain to version 1.3.9 or higher.

[,1.3.9)

Deserialization of Untrusted Data

langchain is a Building applications with LLMs through composability

Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration.

Note:

This is only exploitable if the application pulls prompts by owner/name from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents.

How to fix Deserialization of Untrusted Data?

Upgrade langchain to version 0.3.30 or higher.

[,0.3.30)

langchain@0.3.29

Building applications with LLMs through composability

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically