AIKIDO-2025-10389
@langchain/core is vulnerable to Use of Weak Hash
30
Low Risk
This Affects:
@langchain/coreTL;DR
Affected versions of this package are vulnerable to cache poisoning due to the use of the SHA-1 hashing algorithm in the default cache key encoder. SHA-1 is not collision-resistant, allowing attackers to craft different inputs that produce the same hash. This may result in incorrect or malicious cache hits. While SHA-1 deprecation is underway, the transition is currently opt-in to preserve backward compatibility. This issue is especially relevant for applications exposed to untrusted input, requiring high cache integrity, or subject to security compliance.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@langchain/core is vulnerable to Use of Weak Hash in versions 0.0.0 - 0.3.59.
How to fix this
Upgrade the @langchain/core library to the patch version or you can supply a stronger hash function (such as SHA-256 or SHA-3) for cache key encoding by using the makeDefaultKeyEncoder() method on your cache instance.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant