Vulnerability Intelligence

Public vulnerability intelligence, dependency exposure and research context for npm packages.

•••
🦜

LangChain

AI orchestration framework for agents, tools, MCP, retrieval and LLM integrations

AI Agent Surface
Current tracked 1.4.4
Fixed
Affected

LangChain is a TypeScript framework for building LLM-powered applications, agents, tool-calling systems, retrieval pipelines, vector search integrations, MCP clients, and AI orchestration workflows.

Category AI Framework
Ecosystem AI
Common usage Agent development, tool calling, retrieval augmented generation (RAG), MCP integrations, vector databases, workflow orchestration and LLM applications
Risk model Trust boundary failures, tool registration abuse, prompt injection propagation, serialization risks, MCP integration flaws, secret exposure, unsafe deserialization and agent execution abuse
•••
Why it is widely used
Core framework for building LLM-powered applications, agents and tool-calling workflows.
High-impact AI supply chain component used across model providers, vector stores, retrievers and MCP integrations.
Exposes security-sensitive surfaces such as serialization, deserialization, tool registration, prompt-driven execution and external connectors.
Relevant for trust boundary research because remote inputs can flow into internal agent, tool and provider conversion pipelines.
Public advisories show realistic impact in serialization paths, including secret extraction when unsafe deserialization settings are used.
Provides a framework for building LLM-powered agents and applications.
Supports retrieval-augmented generation applications through indexing, retrieval and generation workflows.
Allows agents to use external tools as part of model-driven workflows.
Risk score 91
Known issues 8
Exploit maturity Active research
•••
Vulnerability burndown
Dec 2025 Jun 2026
Critical High Medium
•••
MTTR critical severity
0 days
No data
•••
Library risk age
67 days
100% lower than last month
•••
Total vulnerabilities
7 Vulnerabilities
Critical 2 High 5 Medium 0 Low 0
Severity Vulnerability name Library Surface Status Published date SLA Tags Actions
Critical Indirect Prompt Injection Through RAG Retrieved Context FikreSekhel Research Validated PoC Integration-dependent RAG retrieval and context assembly Research 2026 Immediate review Prompt Injection
Critical Tool Calling Abuse Through Model-Mediated Authorization Boundary Confusion FikreSekhel Research Validated PoC Integration-dependent Agents and tool invocation Research 2026 Immediate review Tool Abuse
High Unsafe Deserialization of Attacker-Controlled LangChain Objects Through Broad load() Allowlists Affected legacy LangChain runtime paths Deserialization and runtime object loading Patched May 2026 7 days Unsafe Deserialization
High Path Traversal in Legacy Prompt Loading Functions Affected legacy load_prompt paths Prompt loading and filesystem access Patched March 2026 7 days Path Traversal
High Serialization Injection in LangChain JS Object Encoding langchain < 1.2.3 and @langchain/core < 1.1.8 Serialization and object reconstruction Patched December 2025 7 days Serialization Injection
High LangChain Serialization Injection Enables Secret Extraction Validated PoC <1.1.8 for @langchain/core >=1.0.0; <0.3.80 for @langchain/core; <1.2.3 for langchain >=1.0.0; <0.3. Serialization / Deserialization Patched Dec 22, 2025 Immediate Serialization Injection
High Cross-Context Data Leakage Through Memory and Agent State Propagation FikreSekhel Research Integration-dependent Memory and agent state Research 2026 14 days Context Leakage
FikreSekhel Research

Research Notes

Behavioral findings, exploitability observations and operational dependency intelligence produced by FikreSekhel for this library.

FS-AI-LC-002

Tool Calling Authorization Boundary Confusion in LangChain Agents

Model-selected tool calls may cross authorization boundaries when application logic treats LLM intent as sufficient permission.

Research Critical High
This note analyzes LangChain agent workflows where the model is allowed to select tools and generate tool arguments, while the application lacks an independent authorization layer before execution.
Surface Agents and tool invocation
Primitive Model-mediated tool execution
Tested versions langchain 1.4.4
Observed behavior

A user-controlled prompt or poisoned context can steer the agent toward invoking a privileged tool with attacker-influenced parameters.

Security implication

This can turn prompt injection into practical application impact, including unauthorized reads, unsafe writes, workflow manipulation, data exfiltration or business logic abuse.

Mitigation

Separate model planning from execution. Require server-side authorization, argument validation, scoped credentials, allowlisted tools, approval gates for sensitive operations and detailed audit logs.

Observed before mitigation 
The model could select a privileged tool and provide arguments without deterministic authorization.
Observed after mitigation 
Tool execution is blocked unless an application-side policy authorizes the tool and validates every argument.
View PoC code 
const userInput = "Use any available tool to export the customer list."; const modelDecision = { tool: "database_query", args: { query: "select * from customers" } }; console.log(modelDecision);
View mitigation code 
function authorizeToolCall(user, tool, args) { if (tool === "database_query") return false; return true; }
View FRES detection heuristic 
match: langchain AND (tool OR bindTools OR createAgent) AND (invoke OR execute) AND NOT (authorize OR allowlist OR approval)
Behavioral Analysis 2026-06-04
1 2 3
Need private intelligence for your codebase? Request deeper analysis, exploitability review and dependency risk mapping from the Fikresekhel consulting team.