AI Threat Alert

CVE-2024-58340: langchain: security flaw enables exploitation

HIGH PoC AVAILABLE CISA: TRACK*
Published January 12, 2026
CISO Take

Any LangChain-based application running MRKL agents on version 0.3.1 or earlier is vulnerable to a DoS attack delivered via prompt injection — no authentication required. An attacker who can influence LLM output (e.g., through user-supplied prompts in a downstream app) can stall your agent service with a single crafted string. Patch to LangChain >0.3.1 immediately; if you cannot patch today, wrap MRKLOutputParser calls with a timeout and sanitize LLM output before parsing.

What is the risk?

CVSS 7.5 High with AV:N/AC:L/PR:N/UI:N is accurate for the worst case. Real-world exploitability requires the attacker to first achieve prompt injection against the target application — an increasingly realistic assumption for any public-facing LLM app. The exploit chain is two steps: (1) inject a crafted payload via user input, (2) the LLM reflects it and the app feeds it to the vulnerable parser. CPU exhaustion is the outcome, not code execution or data leakage, which limits blast radius. Organizations running MRKL/ReAct agent architectures at scale or in multi-tenant SaaS products face the highest exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 32% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. PATCH

    Upgrade langchain to the first version past 0.3.1 that includes the fixed regex; verify with pip show langchain.

  2. WORKAROUND (if patch is not immediate): Wrap MRKLOutputParser.parse() calls with a signal-based or thread-based timeout (e.g., 2–5 seconds); raise a parsing error and abort on timeout.

  3. INPUT HYGIENE

    Truncate LLM output to a reasonable maximum length (e.g., 4 KB) before passing to the parser; reject outputs with suspicious repetitive patterns.

  4. RATE LIMITING

    Apply per-user/session rate limits on agent invocations to reduce DoS throughput.

  5. DETECTION

    Alert on sustained high CPU usage in agent worker processes; log parsing duration and alert on outliers >500 ms.

  6. INVENTORY

    Audit all internal and customer-facing apps that import langchain.agents.mrkl.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Prompt Injection Framework Agent AML.T0010.001 AML.T0029 AML.T0034 AML.T0043 AML.T0049 AML.T0051 AML.T0051.000 AML.T0051.001

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, Robustness, and Cybersecurity
ISO 42001
A.6.1.4 - AI Risk Assessment A.6.2.6 - AI system availability and resilience A.9.2 - AI Incident Handling A.9.3 - AI system risk treatment
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain the deployed AI system MAP-5.1 - Likelihood and Impact of AI Risks
OWASP LLM Top 10
LLM01:2025 - Prompt Injection LLM07:2025 - System Prompt Leakage / Insecure Output Handling LLM10:2025 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2024-58340?

Any LangChain-based application running MRKL agents on version 0.3.1 or earlier is vulnerable to a DoS attack delivered via prompt injection — no authentication required. An attacker who can influence LLM output (e.g., through user-supplied prompts in a downstream app) can stall your agent service with a single crafted string. Patch to LangChain >0.3.1 immediately; if you cannot patch today, wrap MRKLOutputParser calls with a timeout and sanitize LLM output before parsing.

Is CVE-2024-58340 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-58340, increasing the risk of exploitation.

How to fix CVE-2024-58340?

1. PATCH: Upgrade langchain to the first version past 0.3.1 that includes the fixed regex; verify with `pip show langchain`. 2. WORKAROUND (if patch is not immediate): Wrap MRKLOutputParser.parse() calls with a signal-based or thread-based timeout (e.g., 2–5 seconds); raise a parsing error and abort on timeout. 3. INPUT HYGIENE: Truncate LLM output to a reasonable maximum length (e.g., 4 KB) before passing to the parser; reject outputs with suspicious repetitive patterns. 4. RATE LIMITING: Apply per-user/session rate limits on agent invocations to reduce DoS throughput. 5. DETECTION: Alert on sustained high CPU usage in agent worker processes; log parsing duration and alert on outliers >500 ms. 6. INVENTORY: Audit all internal and customer-facing apps that import langchain.agents.mrkl.

What systems are affected by CVE-2024-58340?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM agentic pipelines, ReAct/MRKL agent workflows, multi-tenant LLM SaaS.

What is the CVSS score for CVE-2024-58340?

CVE-2024-58340 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.41%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM agentic pipelinesReAct/MRKL agent workflowsmulti-tenant LLM SaaS

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0043 Craft Adversarial Data
AML.T0049 Exploit Public-Facing Application
AML.T0051 LLM Prompt Injection
AML.T0051.000 Direct
AML.T0051.001 Indirect

Compliance Controls Affected

EU AI Act: Art. 15, Article 15
ISO 42001: A.6.1.4, A.6.2.6, A.9.2, A.9.3
NIST AI RMF: MANAGE-2.2, MAP-5.1
OWASP LLM Top 10: LLM01:2025, LLM07:2025, LLM10:2025

What are the technical details?

Original Advisory

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.

Exploitation Scenario

An attacker targets a public-facing AI assistant built on LangChain MRKL agents. They craft a user prompt designed to cause the underlying LLM to produce output containing a pathological string — for example, a long sequence of spaces or repeated characters that exploits the backtracking in the MRKL action-extraction regex (e.g., `Action: ` followed by thousands of repeated ambiguous characters). The application passes the LLM's raw output directly to MRKLOutputParser.parse() without sanitization. The regex engine enters catastrophic backtracking, pegging one CPU core at 100% for tens of seconds per request. An attacker automating dozens of such requests can exhaust worker threads and render the service unavailable for all users within minutes.

Weaknesses (CWE)

CWE-1333 Inefficient Regular Expression Complexity Primary

CWE-1333 — Inefficient Regular Expression Complexity: The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

  • [Architecture and Design] Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
  • [System Configuration] Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
January 12, 2026
Last Modified
January 21, 2026
First Seen
January 12, 2026

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed