vulnerability in agents Project #518
Description
While working on agents project, I identified a critical serialization injection vulnerability in the langchain-core package. The issue exists in the dumps() and dumpd() serialization methods, which fail to escape user-controlled dictionaries containing lc keys. During deserialization, these structures are treated as valid LangChain objects, which may allow attackers to extract environment secrets or instantiate internal classes with controlled parameters.