OSV - Open Source Vulnerabilities

GHSA-pjwx-r37v-7724

PyPI/langchain-core

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

08 May

Fix available
Severity - 8.2 (High)

GHSA-926x-3r5x-gfhw

PyPI/langchain-core

LangChain has incomplete f-string validation in prompt templates

08 Apr

Fix available
Severity - 5.3 (Medium)

GHSA-qh6h-p6c9-ff54

PyPI/langchain-core

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

27 Mar

Fix available
Severity - 7.5 (High)

GHSA-2g6r-c272-w58r

PyPI/langchain-core

LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages

11 Feb

Fix available
Severity - 3.7 (Low)

GHSA-c67j-w6g6-q2cm

PyPI/langchain-core

LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

23 Dec 2025

Fix available
Severity - 9.3 (Critical)

GHSA-6qv9-48xg-fc7f

PyPI/langchain-core

LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

20 Nov 2025

Fix available
Severity - 8.3 (High)

GHSA-5chr-fjjv-38qv

PyPI/langchain-core

langchain-core allows unauthorized users to read arbitrary files from the host file system

20 Mar 2025

Fix available
Severity - 5.3 (Medium)

GHSA-q84m-rmw3-4382

PyPI/langchain-core

LangChain's XMLOutputParser vulnerable to XML Entity Expansion

26 Mar 2024

Fix available
Severity - 5.9 (Medium)

GHSA-h59x-p739-982c

PyPI/langchain
PyPI/langchain-core

LangChain directory traversal vulnerability

04 Mar 2024

Fix available

PYSEC-2024-45

PyPI/langchain-core

See record for full details

04 Mar 2024

Fix available