| Vendor |
|
| Product | LangGraph |
| Affected Version(s) | 0.3.6-0.4.5 and probably prior |
| Tested Version(s) | 0.4.5 |
| Vendor Notification | 23 May 2025 |
| Advisory Publication | 12 June 2025 [without technical details] |
| Vendor Fix | N/A |
| Public Disclosure | 12 June 2025 |
| Latest Modification | 12 June 2025 |
| CVE Identifier | Pending |
| Product Description | LangGraph provides prebuilt components for building agent-based LLM applications. The library is designed to help construct agentic systems quickly and reliably—without the need to implement orchestration, memory, or human feedback handling from scratch. |
| Credits | Jeremy Wong - Cyber Security Consultant @ wizlynx group |
| Code Execution | |||
| Severity: High | CVSS Score: 7.3 | CWE-ID: CWE-94 | Status: Open |
| Vulnerability Description | |||
| create_react_agent function in the LangGraph Library insecurely utilizes `get_type_hints()` for processing an optional argument, which would allow attackers to execute arbitrary python & OS code when parsing untrusted input. | |||
| CVSS Base Score | |||
| Attack Vector | Local (L) | Scope | Changed |
| Attack Complexity | High | Confidentiality Impact | High |
| Privileges Required | Python Access | Integrity Impact | High |
| User Interaction | Required | Availability Impact | High |
Full details about the vulnerability will be disclosed once the vendor has provided a patch.