langchain_openai-0.1.20-py3-none-any.whl: 5 vulnerabilities (highest severity is: 9.3) #12
Description
Vulnerable Library - langchain_openai-0.1.20-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info
Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (langchain_openai version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-68664 |  Critical |
9.3 | Not Defined | 0.0% | langchain_core-0.2.43-py3-none-any.whl | Transitive | 0.1.21 | ✅ | |
| CVE-2025-65106 |  High |
8.2 | Not Defined | 0.1% | langchain_core-0.2.43-py3-none-any.whl | Transitive | 0.1.21 | ✅ | |
| CVE-2026-34070 | High |
7.5 | Not Defined | langchain_core-0.2.43-py3-none-any.whl | Transitive | N/A* | ❌ | ||
| CVE-2024-10940 |  Medium |
5.3 | Not Defined | 0.1% | langchain_core-0.2.43-py3-none-any.whl | Transitive | N/A* | ❌ | |
| CVE-2026-26013 |  Low |
3.7 | Not Defined | 0.0% | langchain_core-0.2.43-py3-none-any.whl | Transitive | 0.1.21 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-68664
Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl
Building applications with LLMs through composability
Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info
Dependency Hierarchy:
- langchain_openai-0.1.20-py3-none-any.whl (Root Library)
- ❌ langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f
Found in base branch: main
Vulnerability Details
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Publish Date: 2025-12-23
URL: CVE-2025-68664
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (9.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-c67j-w6g6-q2cm
Release Date: 2025-12-23
Fix Resolution (langchain-core): 0.3.81
Direct dependency fix Resolution (langchain-openai): 0.1.21
In order to enable automatic remediation, please create workflow rules
CVE-2025-65106
Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl
Building applications with LLMs through composability
Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info
Dependency Hierarchy:
- langchain_openai-0.1.20-py3-none-any.whl (Root Library)
- ❌ langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f
Found in base branch: main
Vulnerability Details
LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7.
Publish Date: 2025-11-21
URL: CVE-2025-65106
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-6qv9-48xg-fc7f
Release Date: 2025-11-20
Fix Resolution (langchain-core): 0.3.80
Direct dependency fix Resolution (langchain-openai): 0.1.21
In order to enable automatic remediation, please create workflow rules
CVE-2026-34070
Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl
Building applications with LLMs through composability
Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info
Dependency Hierarchy:
- langchain_openai-0.1.20-py3-none-any.whl (Root Library)
- ❌ langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f
Found in base branch: main
Vulnerability Details
Summary Multiple functions in "langchain_core.prompts.loading" read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to "load_prompt()" or "load_prompt_from_config()", an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (".txt" for templates, ".json"/".yaml" for examples). Note: The affected functions ("load_prompt", "load_prompt_from_config", and the ".save()" method on prompt classes) are undocumented legacy APIs. They are superseded by the "dumpd"/"dumps"/"load"/"loads" serialization APIs in "langchain_core.load", which do not perform filesystem reads and use an allowlist-based security model. As part of this fix, the legacy APIs have been formally deprecated and will be removed in 2.0.0. Affected component Package: "langchain-core" File: "langchain_core/prompts/loading.py" Affected functions: "_load_template()", "_load_examples()", "_load_few_shot_prompt()" Severity High The score reflects the file-extension constraints that limit which files can be read. Vulnerable code paths | Config key | Loaded by | Readable extensions | |---|---|---| | "template_path", "suffix_path", "prefix_path" | "_load_template()" | ".txt" | | "examples" (when string) | "_load_examples()" | ".json", ".yaml", ".yml" | | "example_prompt_path" | "_load_few_shot_prompt()" | ".json", ".yaml", ".yml" | None of these code paths validated the supplied path against absolute path injection or ".." traversal sequences before reading from disk. Impact An attacker who controls or influences the prompt configuration dict can read files outside the intended directory: - ".txt" files: cloud-mounted secrets ("/mnt/secrets/api_key.txt"), "requirements.txt", internal system prompts - ".json"/".yaml" files: cloud credentials ("/.docker/config.json", "/.azure/accessTokens.json"), Kubernetes manifests, CI/CD configs, application settings This is exploitable in applications that accept prompt configs from untrusted sources, including low-code AI builders and API wrappers that expose "load_prompt_from_config()". Proof of concept from langchain_core.prompts.loading import load_prompt_from_config Reads /tmp/secret.txt via absolute path injection config = { "_type": "prompt", "template_path": "/tmp/secret.txt", "input_variables": [], } prompt = load_prompt_from_config(config) print(prompt.template) # file contents disclosed Reads ../../etc/secret.txt via directory traversal config = { "_type": "prompt", "template_path": "../../etc/secret.txt", "input_variables": [], } prompt = load_prompt_from_config(config) Reads arbitrary .json via few-shot examples config = { "_type": "few_shot", "examples": "../../../../.docker/config.json", "example_prompt": { "_type": "prompt", "input_variables": ["input", "output"], "template": "{input}: {output}", }, "prefix": "", "suffix": "{query}", "input_variables": ["query"], } prompt = load_prompt_from_config(config) Mitigation Update "langchain-core" to >= 1.2.22. The fix adds path validation that rejects absolute paths and ".." traversal sequences by default. An "allow_dangerous_paths=True" keyword argument is available on "load_prompt()" and "load_prompt_from_config()" for trusted inputs. As described above, these legacy APIs have been formally deprecated. Users should migrate to "dumpd"/"dumps"/"load"/"loads" from "langchain_core.load". Credit - "jiayuqi7813" (https://github.com/jiayuqi7813) reporter - "VladimirEliTokarev" (https://github.com/VladimirEliTokarev) reporter - "Rickidevs" (https://github.com/Rickidevs) reporter - Kenneth Cox (cczine@gmail.com) reporter
Publish Date: 2026-03-27
URL: CVE-2026-34070
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-qh6h-p6c9-ff54
Release Date: 2026-03-27
Fix Resolution: langchain-core - 1.2.22
CVE-2024-10940
Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl
Building applications with LLMs through composability
Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info
Dependency Hierarchy:
- langchain_openai-0.1.20-py3-none-any.whl (Root Library)
- ❌ langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f
Found in base branch: main
Vulnerability Details
A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extension langchain_core.prompts.ChatPromptTemplate's) with input variables that can read any user-specified path from the server file system. If the outputs of these prompt templates are exposed to the user, either directly or through downstream model outputs, it can lead to the exposure of sensitive information.
Publish Date: 2025-03-20
URL: CVE-2024-10940
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5chr-fjjv-38qv
Release Date: 2025-03-20
Fix Resolution: langchain-core - 0.3.15,https://github.com/langchain-ai/langchain.git - langchain==0.2.43,https://github.com/langchain-ai/langchain.git - langchain==0.3.15,langchain-core - 0.2.43,langchain-core - 0.1.53
CVE-2026-26013
Vulnerable Library - langchain_core-0.2.43-py3-none-any.whl
Building applications with LLMs through composability
Library home page: https://files.pythonhosted.org/packages/70/9b/b26405992d807a592ab3e7792f0eb2c2f71fe69111c972caf7786ba99199/langchain_core-0.2.43-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260309120528_NCWYTV/python_KWDIRO/202603091205291/env/lib/python3.9/site-packages/langchain_core-0.2.43.dist-info
Dependency Hierarchy:
- langchain_openai-0.1.20-py3-none-any.whl (Root Library)
- ❌ langchain_core-0.2.43-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 09f51f74740b88648be208302ec569217b51a66f
Found in base branch: main
Vulnerability Details
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
Publish Date: 2026-02-10
URL: CVE-2026-26013
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-10
Fix Resolution (langchain-core): 1.2.11
Direct dependency fix Resolution (langchain-openai): 0.1.21
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules