CVE-2024-58340

High CVSS: 8.7

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.

Vendor

Langchain

Product

Langchain

CWE

CWE-1333

Yayın Tarihi

2026-01-12 23:15:51

Güncelleme

2026-01-21 17:57:56

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-1333 Langchain HIGH Langchain 2026

Referanslar

https://github.com/langchain-ai/langchain https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb https://www.langchain.com/ https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos

Benzer Kayıtlar

High

CVE-2026-34070

LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions i…

High

CVE-2026-25750

Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. Prior to langchain-ai/helm ver…

Medium

CVE-2026-26019

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langch…

Low

CVE-2026-26013

LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_token…

High

CVE-2025-68665

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and…

Critical

CVE-2025-68664

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a seriali…