LangChain: Security Patch & Release Day

The LangChain team had a focused security day, with Eugene Yurtsev leading the charge to patch a critical ReDoS vulnerability in MRKL and ReAct agent parsers. Five pull requests were merged, including the security fix, backports, version bumps, and two patch releases (langchain-classic 1.0.2 and langchain 0.3.28).

Duration: PT4M5S

Episode overview

This episode is a short developer briefing from LangChain.

It explains recent repository work in plain language.

  • Show: LangChain
  • Published: 2026-03-07T11:14:51Z
  • Audio duration: PT4M5S

Transcript excerpt

This excerpt keeps the crawler page concise. Listen to the episode or use the RSS feed for the full update.

Hey there, fellow builders! Welcome back to another episode of the LangChain podcast. I'm your host, and wow, do we have an interesting story to tell today about how open source security really works in practice.

You know those days when everything clicks into place? When a team spots an issue, fixes it properly, and ships it out to protect everyone? That's exactly what happened yesterday, and it's honestly beautiful to watch unfold.

Let me paint you the picture. Eugene Yurtsev discovered something pretty serious - a ReDoS vulnerability, which stands for Regular Expression Denial of Service. Now, before your eyes glaze over thinking this is some esoteric edge case, this is actually the kind of bug that can bring your AI agents to their knees…

The issue was hiding in the regex patterns that parse actions for MRKL and ReAct agents. Picture this: you've got a pattern that's looking for the word "Action" in some text, but there's this sneaky redundant part that can cause what we call "catastrophic backtracking." An attacker could send a relatively short…

Eugene didn't just slap a band-aid on this. The fix is actually quite elegant - they removed a redundant whitespace quantifier that…

But…

Nearby episodes from LangChain

  1. Making Contributors' Lives Easier
  2. The Great CI/CD Revamp
  3. Community Growth and Rock-Solid Fixes
  4. Community First - Making Contributing Clearer for Everyone
  5. Security Spring Cleaning
  6. Structured Output Renaissance
  7. Consistency Wins - The Model Property Fix That Makes Everything Just Work
  8. Dependency Detective Work and Core Fixes