DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-926X-3R5X-GFHW: GHSA-926X-3R5X-GFHW: Template Injection and Information Disclosure in LangChain Core

#security #cve #cybersecurity #ghsa

GHSA-926X-3R5X-GFHW: Template Injection and Information Disclosure in LangChain Core

Vulnerability ID: GHSA-926X-3R5X-GFHW
CVSS Score: 5.3
Published: 2026-04-08

A moderate-severity vulnerability in the langchain-core package allows attackers to bypass template validation and access unauthorized internal object attributes. The flaw exists due to incomplete input validation in f-string prompt templates, specifically within the DictPromptTemplate and ImagePromptTemplate classes. Attackers can exploit this via malicious format specifiers to achieve information disclosure.

TL;DR

LangChain's langchain-core package (< 0.3.84, 1.0.0a1 to < 1.2.28) is vulnerable to template injection. Unsanitized f-string format specifiers allow attackers to extract internal attributes from rich Python objects passed to prompt templates. Update to version 0.3.84 or 1.2.28 to remediate.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1336
  • Attack Vector: Network
  • CVSS Score: 5.3
  • Impact: Information Disclosure
  • Authentication Required: None
  • Exploit Status: Proof of Concept Available

Affected Systems

  • LangChain Core Framework
  • Applications utilizing DictPromptTemplate
  • Applications utilizing ImagePromptTemplate
  • langchain-core: < 0.3.84 (Fixed in: 0.3.84)
  • langchain-core: 1.0.0a1 - < 1.2.28 (Fixed in: 1.2.28)

Code Analysis

Commit: 6bab0ba

Implemented unified f-string safety validation across PromptTemplate classes.

Commit: af2ed47

Additional formatting constraints to prevent positional injections and nested field bypasses.

Mitigation Strategies

  • Upgrade langchain-core to a patched version (0.3.84 or 1.2.28)
  • Strictly separate user input from template definitions; users should only provide variable values
  • Sanitize complex Python objects into flat dictionaries or primitive types before passing them to the template engine
  • Implement WAF rules to detect and block nested f-string patterns or attribute access strings in user input

Remediation Steps:

  1. Identify the current version of langchain-core in your environment using 'pip list | grep langchain-core'
  2. If the version is < 0.3.84 or between 1.0.0a1 and < 1.2.28, update your requirements.txt or pyproject.toml
  3. Execute 'pip install --upgrade langchain-core>=0.3.84' to apply the patch
  4. Review application code to ensure end-users cannot arbitrarily define prompt template structures
  5. Run unit tests to verify that valid prompts format correctly under the new, stricter validation rules

References

Read the full report for GHSA-926X-3R5X-GFHW on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)