Skip to content

langchain_google_genai-1.0.8-py3-none-any.whl: 9 vulnerabilities (highest severity is: 9.3) #11

Open
Open
langchain_google_genai-1.0.8-py3-none-any.whl: 9 vulnerabilities (highest severity is: 9.3)#11
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Nov 21, 2025
Vulnerable Library - langchain_google_genai-1.0.8-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/requests-2.32.5.dist-info

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Vulnerabilities

Vulnerability Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (langchain_google_genai version) Remediation Possible** Reachability
CVE-2025-68664 Critical 9.3 Not Defined 0.0% langchain_core-0.2.43-py3-none-any.whl Transitive 1.0.9
CVE-2026-0994 High 8.6 Not Defined 0.0% protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl Transitive N/A*
CVE-2025-65106 High 8.2 Not Defined 0.1% langchain_core-0.2.43-py3-none-any.whl Transitive 1.0.9
CVE-2026-34070 High 7.5 Not Defined langchain_core-0.2.43-py3-none-any.whl Transitive N/A*
CVE-2026-30922 High 7.5 Not Defined 0.0% pyasn1-0.6.2-py3-none-any.whl Transitive N/A*
CVE-2024-10940 Medium 5.3 Not Defined 0.1% langchain_core-0.2.43-py3-none-any.whl Transitive N/A*
CVE-2026-25645 Medium 4.4 Not Defined 0.0% requests-2.32.5-py3-none-any.whl Transitive N/A*
CVE-2026-34073 Low 3.7 Not Defined cryptography-46.0.5-cp38-abi3-manylinux_2_34_x86_64.whl Transitive N/A*
CVE-2026-26013 Low 3.7 Not Defined 0.0% langchain_core-0.2.43-py3-none-any.whl Transitive 1.0.9

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-68664

Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info

Dependency Hierarchy:

  • langchain_google_genai-1.0.8-py3-none-any.whl (Root Library)
    • langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Publish Date: 2025-12-23

URL: CVE-2025-68664

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (9.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c67j-w6g6-q2cm

Release Date: 2025-12-23

Fix Resolution (langchain-core): 0.3.81

Direct dependency fix Resolution (langchain-google-genai): 1.0.9

In order to enable automatic remediation, please create workflow rules

CVE-2026-0994

Vulnerable Library - protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl

No project description provided

Library home page: https://files.pythonhosted.org/packages/d6/c6/c9deaa6e789b6fc41b88ccbdfe7a42d2b82663248b715f55aa77fbc00724/protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/protobuf-4.25.8.dist-info

Dependency Hierarchy:

  • langchain_google_genai-1.0.8-py3-none-any.whl (Root Library)
    • google_generativeai-0.7.2-py3-none-any.whl
      • protobuf-4.25.8-cp37-abi3-manylinux2014_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

Publish Date: 2026-01-23

URL: CVE-2026-0994

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (8.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-01-23

Fix Resolution: protobuf - 6.33.5,https://github.com/protocolbuffers/protobuf.git - v33.5,https://github.com/protocolbuffers/protobuf.git - v5.29.6

CVE-2025-65106

Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info

Dependency Hierarchy:

  • langchain_google_genai-1.0.8-py3-none-any.whl (Root Library)
    • langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7.

Publish Date: 2025-11-21

URL: CVE-2025-65106

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6qv9-48xg-fc7f

Release Date: 2025-11-20

Fix Resolution (langchain-core): 0.3.80

Direct dependency fix Resolution (langchain-google-genai): 1.0.9

In order to enable automatic remediation, please create workflow rules

CVE-2026-34070

Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info

Dependency Hierarchy:

  • langchain_google_genai-1.0.8-py3-none-any.whl (Root Library)
    • langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

Summary Multiple functions in "langchain_core.prompts.loading" read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to "load_prompt()" or "load_prompt_from_config()", an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (".txt" for templates, ".json"/".yaml" for examples). Note: The affected functions ("load_prompt", "load_prompt_from_config", and the ".save()" method on prompt classes) are undocumented legacy APIs. They are superseded by the "dumpd"/"dumps"/"load"/"loads" serialization APIs in "langchain_core.load", which do not perform filesystem reads and use an allowlist-based security model. As part of this fix, the legacy APIs have been formally deprecated and will be removed in 2.0.0. Affected component Package: "langchain-core" File: "langchain_core/prompts/loading.py" Affected functions: "_load_template()", "_load_examples()", "_load_few_shot_prompt()" Severity High The score reflects the file-extension constraints that limit which files can be read. Vulnerable code paths | Config key | Loaded by | Readable extensions | |---|---|---| | "template_path", "suffix_path", "prefix_path" | "_load_template()" | ".txt" | | "examples" (when string) | "_load_examples()" | ".json", ".yaml", ".yml" | | "example_prompt_path" | "_load_few_shot_prompt()" | ".json", ".yaml", ".yml" | None of these code paths validated the supplied path against absolute path injection or ".." traversal sequences before reading from disk. Impact An attacker who controls or influences the prompt configuration dict can read files outside the intended directory: - ".txt" files: cloud-mounted secrets ("/mnt/secrets/api_key.txt"), "requirements.txt", internal system prompts - ".json"/".yaml" files: cloud credentials ("/.docker/config.json", "/.azure/accessTokens.json"), Kubernetes manifests, CI/CD configs, application settings This is exploitable in applications that accept prompt configs from untrusted sources, including low-code AI builders and API wrappers that expose "load_prompt_from_config()". Proof of concept from langchain_core.prompts.loading import load_prompt_from_config Reads /tmp/secret.txt via absolute path injection config = { "_type": "prompt", "template_path": "/tmp/secret.txt", "input_variables": [], } prompt = load_prompt_from_config(config) print(prompt.template) # file contents disclosed Reads ../../etc/secret.txt via directory traversal config = { "_type": "prompt", "template_path": "../../etc/secret.txt", "input_variables": [], } prompt = load_prompt_from_config(config) Reads arbitrary .json via few-shot examples config = { "_type": "few_shot", "examples": "../../../../.docker/config.json", "example_prompt": { "_type": "prompt", "input_variables": ["input", "output"], "template": "{input}: {output}", }, "prefix": "", "suffix": "{query}", "input_variables": ["query"], } prompt = load_prompt_from_config(config) Mitigation Update "langchain-core" to >= 1.2.22. The fix adds path validation that rejects absolute paths and ".." traversal sequences by default. An "allow_dangerous_paths=True" keyword argument is available on "load_prompt()" and "load_prompt_from_config()" for trusted inputs. As described above, these legacy APIs have been formally deprecated. Users should migrate to "dumpd"/"dumps"/"load"/"loads" from "langchain_core.load". Credit - "jiayuqi7813" (https://github.com/jiayuqi7813) reporter - "VladimirEliTokarev" (https://github.com/VladimirEliTokarev) reporter - "Rickidevs" (https://github.com/Rickidevs) reporter - Kenneth Cox (cczine@gmail.com) reporter

Publish Date: 2026-03-27

URL: CVE-2026-34070

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qh6h-p6c9-ff54

Release Date: 2026-03-27

Fix Resolution: langchain-core - 1.2.22

CVE-2026-30922

Vulnerable Library - pyasn1-0.6.2-py3-none-any.whl

Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)

Library home page: https://files.pythonhosted.org/packages/44/b5/a96872e5184f354da9c84ae119971a0a4c221fe9b27a4d94bd43f2596727/pyasn1-0.6.2-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/pyasn1-0.6.2.dist-info

Dependency Hierarchy:

  • langchain_google_genai-1.0.8-py3-none-any.whl (Root Library)
    • google_generativeai-0.7.2-py3-none-any.whl
      • google_auth-2.49.0-py3-none-any.whl
        • pyasn1_modules-0.4.2-py3-none-any.whl
          • pyasn1-0.6.2-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the "pyasn1" library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested "SEQUENCE" ("0x30") or "SET" ("0x31") tags with "Indefinite Length" ("0x80") markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a "RecursionError" or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 ("MAX_OID_ARC_CONTINUATION_OCTETS") does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

Publish Date: 2026-03-18

URL: CVE-2026-30922

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-18

Fix Resolution: https://github.com/pyasn1/pyasn1.git - v0.6.3,pyasn1 - 0.6.3

CVE-2024-10940

Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info

Dependency Hierarchy:

  • langchain_google_genai-1.0.8-py3-none-any.whl (Root Library)
    • langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extension langchain_core.prompts.ChatPromptTemplate's) with input variables that can read any user-specified path from the server file system. If the outputs of these prompt templates are exposed to the user, either directly or through downstream model outputs, it can lead to the exposure of sensitive information.

Publish Date: 2025-03-20

URL: CVE-2024-10940

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5chr-fjjv-38qv

Release Date: 2025-03-20

Fix Resolution: langchain-core - 0.3.15,https://github.com/langchain-ai/langchain.git - langchain==0.2.43,https://github.com/langchain-ai/langchain.git - langchain==0.3.15,langchain-core - 0.2.43,langchain-core - 0.1.53

CVE-2026-25645

Vulnerable Library - requests-2.32.5-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/requests-2.32.5.dist-info

Dependency Hierarchy:

  • langchain_google_genai-1.0.8-py3-none-any.whl (Root Library)
    • google_generativeai-0.7.2-py3-none-any.whl
      • google_api_core-2.30.0-py3-none-any.whl
        • requests-2.32.5-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.

Publish Date: 2026-03-25

URL: CVE-2026-25645

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (4.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-25

Fix Resolution: https://github.com/psf/requests.git - v2.33.0

CVE-2026-34073

Vulnerable Library - cryptography-46.0.5-cp38-abi3-manylinux_2_34_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/99/0f/a3076874e9c88ecb2ecc31382f6e7c21b428ede6f55aafa1aa272613e3cd/cryptography-46.0.5-cp38-abi3-manylinux_2_34_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/cryptography-46.0.5.dist-info

Dependency Hierarchy:

  • langchain_google_genai-1.0.8-py3-none-any.whl (Root Library)
    • google_generativeai-0.7.2-py3-none-any.whl
      • google_auth-2.49.0-py3-none-any.whl
        • cryptography-46.0.5-cp38-abi3-manylinux_2_34_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

Summary In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named "bar.example.com" to validate against a wildcard leaf certificate for "*.example.com", even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for "bar.example.com". This behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead. In practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity. See CVE-2025-61727 for a similar bypass in Go's "crypto/x509". Remediation Users should upgrade to 46.0.6 or newer. Attribution Reporter: @1seal

Publish Date: 2026-03-27

URL: CVE-2026-34073

Threat Assessment

Exploit Maturity: Not Defined

EPSS:

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m959-cc7f-wv43

Release Date: 2026-03-27

Fix Resolution: cryptography - 46.0.6

CVE-2026-26013

Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl

Building applications with LLMs through composability

Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info

Dependency Hierarchy:

  • langchain_google_genai-1.0.8-py3-none-any.whl (Root Library)
    • langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f

Found in base branch: main

Vulnerability Details

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.

Publish Date: 2026-02-10

URL: CVE-2026-26013

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-02-10

Fix Resolution (langchain-core): 1.2.11

Direct dependency fix Resolution (langchain-google-genai): 1.0.9

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions