Bounties
Partners
Community
Info
langchain-ai / langchain
Project repository
🦜🔗 Build context-aware reasoning applications
Submit a report
FIRST INTERACTION
WITHIN
N/A DAYS
REVIEW
WITHIN
18 DAYS
FIX
WITHIN
77 DAYS
OS Command Injection In scripts/release_branch.py Allows Arbitrary Code Executio...
Jul 8th 2025
ashmitsh4rma
•
spam
Arbitrary Code Execution in LangGraph create_react_agent Function
Jun 10th 2025
jeremycfwong
•
not applicable
knowledge poisoning attacks to LangChain's RAG
Jul 13th 2025
gongyuyang-alt
•
pending
Vulnerability Report: Groq API Key Exposure in langsmith-sdk
Jun 28th 2025
bhartisaurav
•
pending
SSRF Vulnerability in RequestsToolkit in langchain-community in langchain-ai/lan...
Jun 23rd 2025
ano251
•
High
High
•
CVE-2025-2828
CVE-2025-2828
SSRF Vulnerability in RequestsToolkit in langchain-community
Mar 25th 2025
ano251
•
self closed
Leakage of Hidden Elements via Prompt Injection Against LLM Browser Agents
Feb 18th 2025
melonattacker
•
informative
Medium
By default, LangGraph (agentic library by LangChain) exposes an error object (th...
May 5th 2025
m-kemarskyi
•
pending
Snowflake Cortex LLM SQL injection
Apr 14th 2025
joned91
•
pending
xxxx
Mar 13th 2025
marklee131
•
pending
The create_sql_agent function can trigger an SQL injection vulnerability.
Jan 22nd 2025
bacmiao
•
informative
Critical
XXE in EverNoteLoader in langchain-ai/langchain
Feb 13th 2025
cyjhhh
•
duplicate
High
XXE in UnstructuredXMLLoader and EverNoteLoader
Dec 5th 2024
cyjhhh
•
duplicate
Medium
Rce attack exploiting GraphCypherQAChain in langchain
Nov 7th 2024
samr301
•
duplicate
Critical
Read from host file system via ImagePromptTemplate in langchain-core
Feb 9th 2025
baskaryan
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-10940
CVE-2024-10940
DoS in WebResearchRetriever
Dec 18th 2024
agentsec
•
informative
High
ReDoS(Regular expression Denial of Service) on MRKLOutputParser
Nov 19th 2024
life-team2024
•
informative
Medium
SQL injection with earliest_time parameter in TiDBChatMessageHistory Class
Nov 26th 2024
life-team2024
•
informative
Medium
Succeed to trigger Reverse Shell(RCE) via Prompt
Sep 24th 2024
life-team2024
•
not applicable
Lack of Input Validation in ContextSet Allows Unauthorized Data Access
Sep 24th 2024
jedisol24
•
not applicable
Bypass of RecursiveUrlLoader SSRF protection mechanisms ‘prevent_outside’ (SSRF+...
Sep 9th 2024
nnfrog
•
informative
Low
Bug Bounty Report: Improper Certificate Validation
Aug 21st 2024
past3l
•
spam
Read and write files with create_sql_agent
Jul 26th 2024
0gur1
•
informative
Critical
Introduce malicious json through load_prompt(".json") to cause arbitrary command...
Jul 23rd 2024
trinity-syt-security
•
spam
Path traversal that leads to arbitrary file read
Jul 15th 2024
021w
•
not applicable
Blind Cypher Injection in the langchain_community using the Neo4jVector class
Aug 13th 2024
liadlevy
•
informative
Critical
Prompt injection in the GraphCypherQAChain class results in SQL injection, compl...
Sep 26th 2024
liadlevy
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-8309
CVE-2024-8309
Path Traversal in BibtexLoder in langchain-community
Sep 26th 2024
021w
•
pending
pickle deserialization vulnerability
Sep 17th 2024
cn-panda
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-5998
CVE-2024-5998
CVE-2024-27444(LangChain PALChain RCE) Bypass
Jun 13th 2024
cn-panda
•
duplicate
Critical
Arbitrary File Read Vulnerability using SSRF
May 23rd 2024
evrenyal
•
informative
Medium
Arbitrary Code Execution: Bypass of Fixes for CVE-2023-36258 and CVE-2023-44467
May 16th 2024
satoki
•
not applicable
Exposure of WRITE_KEY in the code
May 13th 2024
noorhomaid
•
not applicable
Multiple default insecure data source loaders lead to xxe vulnerability
May 14th 2024
virusday
•
informative
Critical
HTML code injection
Apr 5th 2024
newb3ast
•
not applicable
langchain_experimental (aka LangChain Experimental) in LangChain before > 0.1.13...
Mar 25th 2024
yuligesec
•
duplicate
Critical
Denial-of-Service in LangChain SitemapLoader
May 12th 2024
dxan29a
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-2965
CVE-2024-2965
IDOR leading to send feedback messages
May 8th 2024
mdakh404
•
not applicable
Server-Side Request Forgery (SSRF) in langchain-ai/langchain
Apr 1st 2024
supersuperbang
•
informative
High
SSRF in Langchain Web Research Retriever
May 2nd 2024
ehtec
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-3095
CVE-2024-3095
HTML Injection in [chat.langchain.com]
Mar 5th 2024
theo0k
•
not applicable
RCE & API token leakage via URI traversal
Apr 20th 2024
pinkdraconian
•
Low
•
$20
Low
•
$20
•
CVE-2024-28088
CVE-2024-28088
Unrestricted SSRF when using requests tools
Feb 8th 2024
ehtec
•
not applicable
Billion laughs vulnerability that leads to DOS
Mar 25th 2024
0xanis
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-1455
CVE-2024-1455
Prompt Injection leading to Arbitrary Code Execution
Feb 1st 2024
vvxhid
•
informative
Critical
Server Side Request Forgery (SSRF)
Jan 17th 2024
m0kr4n3
•
informative
High
Server-Side Request Forgery (SSRF)
Feb 24th 2024
m0kr4n3
•
Low
•
$20
Low
•
$20
•
CVE-2024-0243
CVE-2024-0243
Command injection in PALChain function
Jan 8th 2024
ouxs-19
•
informative
Critical
Remote Code Execution due to Deserialization of Untrusted Pickle Files
Jan 4th 2024
ninjafit
•
informative
Critical
Local File Inclusion (LFI) to Remote Code Execution
Apr 16th 2024
ninjafit
•
Medium
•
$125
Medium
•
$125
•
CVE-2024-3571
CVE-2024-3571
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0
