Vulnerability Intelligence

Public vulnerability intelligence, dependency exposure and research context for npm packages.

•••
🦜

LangChain

AI orchestration framework for agents, tools, MCP, retrieval and LLM integrations

AI Agent Surface
Current tracked 1.4.4
Fixed
Affected

LangChain is a TypeScript framework for building LLM-powered applications, agents, tool-calling systems, retrieval pipelines, vector search integrations, MCP clients, and AI orchestration workflows.

Category AI Framework
Ecosystem AI
Common usage Agent development, tool calling, retrieval augmented generation (RAG), MCP integrations, vector databases, workflow orchestration and LLM applications
Risk model Trust boundary failures, tool registration abuse, prompt injection propagation, serialization risks, MCP integration flaws, secret exposure, unsafe deserialization and agent execution abuse
•••
Why it is widely used
Core framework for building LLM-powered applications, agents and tool-calling workflows.
High-impact AI supply chain component used across model providers, vector stores, retrievers and MCP integrations.
Exposes security-sensitive surfaces such as serialization, deserialization, tool registration, prompt-driven execution and external connectors.
Relevant for trust boundary research because remote inputs can flow into internal agent, tool and provider conversion pipelines.
Public advisories show realistic impact in serialization paths, including secret extraction when unsafe deserialization settings are used.
Provides a framework for building LLM-powered agents and applications.
Supports retrieval-augmented generation applications through indexing, retrieval and generation workflows.
Allows agents to use external tools as part of model-driven workflows.
Risk score 91
Known issues 8
Exploit maturity Active research
•••
Vulnerability burndown
Dec 2025 Jun 2026
Critical High Medium
•••
MTTR critical severity
0 days
No data
•••
Library risk age
67 days
100% lower than last month
•••
Total vulnerabilities
7 Vulnerabilities
Critical 2 High 5 Medium 0 Low 0
Severity Vulnerability name Library Surface Status Published date SLA Tags Actions
Critical Indirect Prompt Injection Through RAG Retrieved Context FikreSekhel Research Validated PoC Integration-dependent RAG retrieval and context assembly Research 2026 Immediate review Prompt Injection
Critical Tool Calling Abuse Through Model-Mediated Authorization Boundary Confusion FikreSekhel Research Validated PoC Integration-dependent Agents and tool invocation Research 2026 Immediate review Tool Abuse
High Unsafe Deserialization of Attacker-Controlled LangChain Objects Through Broad load() Allowlists Affected legacy LangChain runtime paths Deserialization and runtime object loading Patched May 2026 7 days Unsafe Deserialization
High Path Traversal in Legacy Prompt Loading Functions Affected legacy load_prompt paths Prompt loading and filesystem access Patched March 2026 7 days Path Traversal
High Serialization Injection in LangChain JS Object Encoding langchain < 1.2.3 and @langchain/core < 1.1.8 Serialization and object reconstruction Patched December 2025 7 days Serialization Injection
High LangChain Serialization Injection Enables Secret Extraction Validated PoC <1.1.8 for @langchain/core >=1.0.0; <0.3.80 for @langchain/core; <1.2.3 for langchain >=1.0.0; <0.3. Serialization / Deserialization Patched Dec 22, 2025 Immediate Serialization Injection
High Cross-Context Data Leakage Through Memory and Agent State Propagation FikreSekhel Research Integration-dependent Memory and agent state Research 2026 14 days Context Leakage
FikreSekhel Research

Research Notes

Behavioral findings, exploitability observations and operational dependency intelligence produced by FikreSekhel for this library.

FS-AI-LC-003

Cross-Context Data Leakage Through LangChain Memory and Agent State

Persistent memory and reusable agent state can leak information when tenant, user or session boundaries are not enforced.

Research High High
This research note covers leakage risks in LangChain applications that persist chat history, intermediate tool results, retrieved context or agent state across requests.
Surface Memory and agent state
Primitive Cross-session context propagation
Tested versions langchain 1.4.4
Observed behavior

Sensitive snippets from a previous interaction may be reintroduced into a later prompt, retrieved by mistake or used as hidden context for another user session.

Security implication

In multi-user systems, this may create cross-tenant data exposure, privacy violations, unauthorized context reuse and unreliable model behavior.

Mitigation

Partition memory by tenant, user and session. Apply expiration, sensitivity labels, context minimization, access control and explicit state reset behavior.

Observed before mitigation 
Memory was globally reusable and could be assembled into later prompts without identity isolation.
Observed after mitigation 
Memory is scoped by tenant, user and session, with explicit expiration and context minimization.
View PoC code 
const sharedMemory = []; sharedMemory.push({ user: "alice", secret: "internal project context" }); const nextUserContext = sharedMemory.map(x => x.secret).join("\n"); console.log(nextUserContext);
View mitigation code 
const memoryKey = `${tenantId}:${userId}:${sessionId}`; const isolatedMemory = memoryStore.get(memoryKey);
View FRES detection heuristic 
match: langchain AND (memory OR chatHistory OR checkpoint OR thread_id) AND NOT (tenantId OR sessionId OR userId)
Behavioral Analysis 2026-06-04
1 2 3
Need private intelligence for your codebase? Request deeper analysis, exploitability review and dependency risk mapping from the Fikresekhel consulting team.