AI Threat Alert

CVE-2023-34541: LangChain: RCE via unsafe load_prompt deserialization

CRITICAL PoC AVAILABLE CISA: ATTEND
Published June 20, 2023
CISO Take

Any LangChain deployment at version 0.0.171 or earlier using load_prompt is critically exposed to unauthenticated remote code execution — no user interaction required. Upgrade to a patched version immediately; if patching is blocked, disable all load_prompt calls or restrict them to fully trusted, internal sources. Given LangChain's prevalence in AI agent and RAG architectures, assume blast radius extends to the host system and downstream model serving infrastructure.

What is the risk?

Severity is maximum practical risk: CVSS 9.8 with network-accessible attack vector, low complexity, no privileges, no user interaction, and full C/I/A impact. LangChain 0.0.171 was widely deployed at publication time across production AI pipelines, making the exposed surface area large. The vulnerability requires only the ability to supply an attacker-controlled URL or file path to load_prompt, which is a common pattern in agentic and configuration-driven LangChain applications. No weaponization barrier exists — proof-of-concept exploits were publicly linked in the original GitHub issue.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 3d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.9%
chance of exploitation in 30 days
Higher than 56% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch: Upgrade LangChain to any version above 0.0.171 immediately.

  2. Inventory: Search codebase for all calls to load_prompt and document their input sources.

  3. Workaround (if patching delayed): Remove or gate load_prompt calls behind strict allowlists of trusted, internal URIs only — never accept user-supplied or externally-sourced paths.

  4. Containment: Run LangChain services with least-privilege OS accounts, restrict outbound network from AI servers, and isolate with network segmentation.

  5. Detection: Monitor for anomalous subprocess spawning, unexpected outbound connections, or file reads from unusual paths in processes hosting LangChain.

  6. Secrets audit: Rotate any API keys, model service credentials, or database passwords accessible from the compromised process scope.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Data Extraction Framework Agent AML.T0010.001 AML.T0025 AML.T0049 AML.T0050 AML.T0072

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.3 - AI system security
NIST AI RMF
GV-6.1 - Policies and procedures for AI risk and impact MS-2.5 - Practices and personnel for AI risk management
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-34541?

Any LangChain deployment at version 0.0.171 or earlier using load_prompt is critically exposed to unauthenticated remote code execution — no user interaction required. Upgrade to a patched version immediately; if patching is blocked, disable all load_prompt calls or restrict them to fully trusted, internal sources. Given LangChain's prevalence in AI agent and RAG architectures, assume blast radius extends to the host system and downstream model serving infrastructure.

Is CVE-2023-34541 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-34541, increasing the risk of exploitation.

How to fix CVE-2023-34541?

1. Patch: Upgrade LangChain to any version above 0.0.171 immediately. 2. Inventory: Search codebase for all calls to load_prompt and document their input sources. 3. Workaround (if patching delayed): Remove or gate load_prompt calls behind strict allowlists of trusted, internal URIs only — never accept user-supplied or externally-sourced paths. 4. Containment: Run LangChain services with least-privilege OS accounts, restrict outbound network from AI servers, and isolate with network segmentation. 5. Detection: Monitor for anomalous subprocess spawning, unexpected outbound connections, or file reads from unusual paths in processes hosting LangChain. 6. Secrets audit: Rotate any API keys, model service credentials, or database passwords accessible from the compromised process scope.

What systems are affected by CVE-2023-34541?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM application backends, model serving, AI orchestration platforms.

What is the CVSS score for CVE-2023-34541?

CVE-2023-34541 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.94%.

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelinesLLM application backendsmodel servingAI orchestration platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.3
NIST AI RMF: GV-6.1, MS-2.5
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt.

Exploitation Scenario

An adversary hosts a malicious YAML prompt template at an attacker-controlled URL. The file embeds a Python deserialization payload (e.g., via PyYAML's !!python/object constructor or equivalent). The attacker sends a request to a LangChain-backed application endpoint that accepts a prompt configuration path — common in agent orchestration UIs, no-code AI builders, or misconfigured API endpoints. When the application calls load_prompt with the attacker URL, LangChain fetches and deserializes the file, executing the embedded payload. The attacker receives a reverse shell running as the LangChain service account, gains access to environment variables containing LLM API keys and database credentials, and can pivot to the vector store, model registry, or cloud provider APIs connected to the AI pipeline.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
June 20, 2023
Last Modified
December 9, 2024
First Seen
June 20, 2023

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36188 9.8

LangChain: RCE via PALChain unsanitized Python exec

Same package: langchain
Back to Threat Feed