{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T15:54:19.872","vulnerabilities":[{"cve":{"id":"CVE-2024-58340","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-01-12T23:15:51.780","lastModified":"2026-01-21T17:57:56.537","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition."},{"lang":"es","value":"Las versiones de LangChain hasta la 0.3.1 inclusive contienen una vulnerabilidad de denegación de servicio por expresión regular (ReDoS) en el método MRKLOutputParser.parse() (libs/langchain/langchain/agents/mrkl/output_parser.py). El analizador aplica una expresión regular propensa a retrocesos al extraer acciones de herramientas de la salida del modelo. Un atacante que puede suministrar o influir en el texto analizado (por ejemplo, mediante inyección de prompt en aplicaciones posteriores que pasan la salida del LLM directamente a MRKLOutputParser.parse()) puede desencadenar un consumo excesivo de CPU al proporcionar una carga útil manipulada, causando retrasos significativos en el análisis y una condición de denegación de servicio."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Primary","description":[{"lang":"en","value":"CWE-1333"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:langchain:langchain:*:*:*:*:*:*:*:*","versionEndIncluding":"0.3.1","matchCriteriaId":"6E9D0E05-1453-4F45-BA4F-C188E1639974"}]}]}],"references":[{"url":"https://github.com/langchain-ai/langchain","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb","source":"disclosure@vulncheck.com","tags":["Exploit","Issue Tracking","Third Party Advisory"]},{"url":"https://www.langchain.com/","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos","source":"disclosure@vulncheck.com","tags":["Third Party Advisory"]}]}}]}