CVE-2024-58340 HIGH

CVE-2024-58340: LangChain <= 0.3.1 MRKLOutputParser ReDoS

Vendor Langchain Ai
Product LangChain
Weakness CWE-1333
Published January 12, 2026
Last update March 5, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.

Key dates

02Disclosure timeline

January 12, 2026 CVE published
March 5, 2026 Record updated