{"data":{"id":"a39669b8-ec7f-43d1-a668-57adf4667752","title":"GHSA-pjwx-r37v-7724: LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists","summary":"LangChain has a vulnerability where older code paths deserialize (convert serialized data back into objects) untrusted user input too broadly, allowing attackers to inject specially crafted LangChain objects that get instantiated with attacker-controlled arguments. The vulnerability only affects applications that accept untrusted structured input (like JSON), don't validate it first, and use affected APIs like `RunnableWithMessageHistory` or `astream_log()`.","solution":"LangChain will deprecate the affected APIs (`RunnableWithMessageHistory`, `astream_log()`, and `astream_events(version=\"v1\")`) and recommend migrating to newer streaming and memory patterns like the `stream` API. Additionally, LangChain will update `load()` and `loads()` functions to tighten deserialization behavior so broad object revival is not applied implicitly to untrusted input.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-pjwx-r37v-7724","publishedAt":"2026-05-08T23:07:32.000Z","cveId":"CVE-2026-44843","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain","prompt_injection"],"issueType":"vulnerability","affectedPackages":["langchain-core@<= 0.3.84 (fixed: 0.3.85)","langchain-core@>= 1.0.0, <= 1.3.2 (fixed: 1.3.3)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-08T23:07:32.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}