LangChain 0.1.9 Flawed by Two Critical Vulnerabilities — CVSS 9.8 and 9.3, No Patches Available

LangChain 0.1.9, a popular Python framework for building applications with large language models, contains two critical vulnerabilities that expose dependent systems to severe risk. The most alarming flaw, CVE-2024-8309, carries a CVSS score of 9.8 and targets the langchain_community component (version 0.0.38). A second critical vulnerability, CVE-2025-68664, affects langchain_core (version 0.1.53) with a severity rating of 9.3. Both vulnerabilities are transitive, meaning they originate in dependencies rather than LangChain's own codebase, yet they remain exploitable through systems using the framework.

Neither vulnerability currently has a documented fix. The langchain_community and langchain_core packages carrying these flaws are marked with no remediation available, placing the burden of mitigation entirely on developers and security teams. The vulnerable packages were identified through analysis of the LangChain 0.1.9 wheel file (langchain-0.1.9-py3-none-any.whl) and its associated dependency chain. Exploit maturity for both CVEs is listed as "Not Defined," indicating uncertainty about whether working exploits exist in the wild.

The CVSS scores place both findings in critical territory, signaling the potential for severe consequences if exploited. However, EPSS scores of 2.002% and 1.939% suggest relatively low probability of active exploitation in the near term. Organizations leveraging LangChain in production environments should monitor for upstream patches, evaluate compensating controls, and reassess dependency exposure as the vulnerability landscape evolves. The absence of fixes amplifies the need for heightened vigilance around this widely-deployed AI development framework.