Home

Description

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.

PUBLISHED Reserved 2026-01-09 | Published 2026-01-12 | Updated 2026-01-12 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-1333 Inefficient Regular Expression Complexity

Product status

Default status
unknown

Any version
affected

Credits

LifeTeam2024 finder

References

huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb technical-description exploit

www.langchain.com/ product

github.com/langchain-ai/langchain product

www.vulncheck.com/...sories/langchain-mrkloutputparser-redos third-party-advisory

cve.org (CVE-2024-58340)

nvd.nist.gov (CVE-2024-58340)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.