Skip to content

fix(deps): update dependency langchain-core to v1.3.3 [security]#905

Merged
Smartappli merged 1 commit into
masterfrom
renovate/pypi-langchain-core-vulnerability
May 9, 2026
Merged

fix(deps): update dependency langchain-core to v1.3.3 [security]#905
Smartappli merged 1 commit into
masterfrom
renovate/pypi-langchain-core-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 9, 2026

This PR contains the following updates:

Package Change Age Confidence
langchain-core (changelog) ==1.3.2==1.3.3 age confidence

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists

CVE-2026-44843 / GHSA-pjwx-r37v-7724

More information

Details

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments.

Applications are exposed only when all of the following are true:

  1. The application accepts untrusted structured input, such as JSON, from a user or network request.
  2. The application does not validate or canonicalize that input into an inert schema before invoking LangChain.
  3. Attacker-controlled nested dictionaries or lists are preserved in LangChain run inputs or outputs.
  4. The application uses an affected API path that later deserializes that run data.

Known affected runtime surfaces include:

  • RunnableWithMessageHistory
  • astream_log()
  • astream_events(version="v1")

Related unsafe deserialization patterns may also affect applications that explicitly load serialized LangChain prompt or runnable objects from untrusted sources, including shared prompt stores, Hub artifacts with model configuration, or other application-controlled serialization stores.

Applications that validate incoming requests against a fixed schema, such as coercing user input to a plain string or message-content field before invoking LangChain, are unlikely to expose this deserialization primitive.

This release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (_is_lc_secret). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during dumps() -> loads() round-trips and reach LangChain object revival logic.

Impact

An attacker who can submit untrusted structured input to an affected application, and have that structure preserved in LangChain run data, may be able to inject LangChain serialized constructor payloads such as:

{
  "lc": 1,
  "type": "constructor",
  "id": ["langchain_core", "messages", "ai", "AIMessage"],
  "kwargs": {"content": "attacker-controlled content"}
}

If this payload reaches a broad load() call, LangChain may instantiate the referenced class instead of treating the payload as inert user data.

Realistic impacts include:

  • Persistent chat-history poisoning when revived AIMessage, HumanMessage, or SystemMessage objects are stored by RunnableWithMessageHistory.
  • Prompt injection or behavior manipulation if attacker-controlled messages are later included in model context.
  • Instantiation of unexpected trusted LangChain objects with attacker-controlled constructor arguments.
  • Possible credential disclosure or server-side requests if a reachable object reads environment credentials, creates clients, or contacts attacker-controlled endpoints during initialization.
  • Additional prompt-template or runnable-configuration impacts in applications that separately load and execute untrusted serialized LangChain objects.
Remediation

LangChain will deprecate the affected APIs as part of this fix:

  • RunnableWithMessageHistory
  • astream_log()
  • astream_events(version="v1")

These are older code paths that are no longer recommended for new applications. They were not previously marked as deprecated, but recent LangChain documentation has primarily directed users toward newer streaming and memory patterns, including the stream API. Applications should migrate to the currently recommended APIs rather than continue depending on these older surfaces.

Separately, LangChain will update load() and loads() to tighten deserialization behavior so broad object revival is not applied implicitly to untrusted or application-controlled payloads. The older runtime surfaces listed above are being deprecated rather than preserved as supported paths for broad runtime deserialization.

This release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (_is_lc_secret). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during dumps() -> loads() round-trips and reach LangChain object revival logic.

Guidance for load() and loads()

load() and loads() should be used only with trusted LangChain manifests or serialized objects from trusted storage. Do not pass user-controlled data to load() or loads(), and do not use them as general parsers for request bodies, tool inputs, chat messages, or other attacker-controlled data.

load() and loads() are beta APIs, and their behavior may change as LangChain narrows unsafe defaults. Future LangChain versions will require callers to be explicit about which objects may be revived. Users should pass a narrow allowed_objects value appropriate for the specific trusted manifest they are loading, rather than relying on broad defaults or allowed_objects="all", which permits the full trusted LangChain serialization allowlist.

Credits

The original issue was first reported by @​u-ktdi.

Similar findings were reported by @​dewankpant, @​shrutilohani, @​Moaaz-0x, @​pucagit.

A related _is_lc_secret marker bypass affecting dumps() -> loads() round-trips was reported by @​yardenporat353 (and a similar report by @​localhost-detect)

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file renovate labels May 9, 2026
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 9, 2026

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: AIMER-ROOT/uv.lock
Command failed: uv lock --upgrade-package langchain-core
Using CPython 3.14.4 interpreter at: /opt/containerbase/tools/python/3.14.4/bin/python3
  × No solution found when resolving dependencies for split (markers:
  │ sys_platform == 'darwin'):
  ╰─▶ Because tensorflow{sys_platform == 'darwin'}==2.21.0 has no
      wheels with a matching Python version tag (e.g., `cp314`) and only
      tensorflow{sys_platform == 'darwin'}<=2.21.0 is available, we can
      conclude that tensorflow{sys_platform == 'darwin'}>=2.21.0 cannot be
      used.
      And because mage depends on tensorflow{sys_platform == 'darwin'}>=2.21.0
      and your workspace requires mage, we can conclude that your workspace's
      requirements are unsatisfiable.

      hint: The resolution failed for an environment that is not the current
      one, consider limiting the environments with `tool.uv.environments`.

      hint: Wheels are available for `tensorflow` (v2.21.0) with the following
      Python ABI tags: `cp310`, `cp311`, `cp312`, `cp313`

@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented May 9, 2026

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@Smartappli Smartappli merged commit e8627e9 into master May 9, 2026
19 of 26 checks passed
@Smartappli Smartappli deleted the renovate/pypi-langchain-core-vulnerability branch May 9, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Smartappli