Information Disclosure via Weak Hash in Task Result Cache
Summary
A vulnerability was determined in langchain-ai langgraph up to 1.2.4. The affected element is the function _freeze of the file libs/langgraph/langgraph/_internal/_cache.py of the component Task Result Cache. This manipulation of the argument default_cache_key causes use of weak hash. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance. A remote attacker could exploit this vulnerability by manipulating the `default_cache_key` argument within the `_freeze` function of the Task Result Cache component. This flaw in langgraph, rated as Low impact, could lead to limited information disclosure. The vulnerability's limited scope and challenging exploitability reduce its overall risk in typical Red Hat deployments. Red Hat severity: Low — CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N). Weakness: CWE-328. Affected Red Hat products: Exploit Intelligence; Migration Toolkit for Applications 8; OpenShift Lightspeed; Red Hat Ansible Automation Platform 2; Red Hat OpenShift AI (RHOAI). Red Hat does not currently list a fixing RHSA for this CVE.
- 1.2.4
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.