CVE-2024-58340

UNKNOWN 0.0

LangChain <= 0.3.1 MRKLOutputParser ReDoS

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.

CWE	CWE-1333
Vendor	langchain ai
Product	langchain
Published	Jan 12, 2026
Last Updated	Mar 5, 2026

Stay Ahead of the Next One

Get instant alerts for langchain ai langchain

Be the first to know when new unknown vulnerabilities affecting langchain ai langchain are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

LangChain AI / LangChain

0 ≤ 0.3.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

huntr.com: https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb langchain.com: https://www.langchain.com/ github.com: https://github.com/langchain-ai/langchain vulncheck.com: https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos

Credits

LifeTeam2024