Technical description
LangChain versions prior to 0.3.85 (v0) and 1.3.3 (v1) contain runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths call load() with permissive deserialization settings, potentially enabling arbitrary code execution if an attacker can influence data flowing through agent runs — including via prompt injection, MCP tool responses, or RAG retrieval results that feed into serialised run state.
Attack vector
An attacker who can influence LangChain run input or output data (e.g. via prompt injection into an agent's tool responses, malicious RAG document content, or a compromised MCP server response) may trigger the unsafe deserialization path, achieving code execution within the host process. No authentication required if the agent handles untrusted external data.
Affected systems
LangChain versions 0.x before 0.3.85 and 1.x before 1.3.3. Widely deployed across enterprise agentic AI pipelines, RAG applications, and LLM tool-use frameworks.
Mitigation
Upgrade to langchain >= 0.3.85 (v0 branch) or >= 1.3.3 (v1 branch) immediately. Audit all LangChain agent pipelines that process untrusted external data (user input, web content, document retrieval, tool responses) for potential exploitation paths. Review use of load() with permissive deserialization settings in custom integrations.