Skip to content

docs(security): add initial threat model for langchain monorepo#36317

Draft
John Kennedy (jkennedyvz) wants to merge 1 commit intomasterfrom
security/threat-model-initial
Draft

docs(security): add initial threat model for langchain monorepo#36317
John Kennedy (jkennedyvz) wants to merge 1 commit intomasterfrom
security/threat-model-initial

Conversation

@jkennedyvz
Copy link
Copy Markdown
Contributor

@jkennedyvz John Kennedy (jkennedyvz) commented Mar 27, 2026
edited
Loading

Summary

  • Adds THREAT_MODEL.md at the repo root documenting the security posture of the langchain-ai/langchain monorepo
  • Generated via deep-mode analysis (commit 494b760028) covering 10 components, 5 trust boundaries, 8 data flows, 8 threats, 7 out-of-scope patterns, and 2 investigated/dismissed findings
  • Serves both human security reviewers and AI agents performing automated triage (consistent IDs: C/TB/DF/T/DC/D prefixes, file:SymbolName code references throughout)

@jkennedyvz @claude
docs(security): add initial threat model for langchain monorepo
0353120 
Generated by langster-threat-model (deep mode, commit 494b760). Documents
10 components, 5 trust boundaries, 8 data flows, 8 threats (2 verified,
3 likely, 1 unverified, 1 accepted, 1 partially mitigated), 7 out-of-scope
patterns, and 2 investigated/dismissed findings.

Key findings:
- T1 (High/Verified): env var exfiltration via secrets_from_env=True; safe by default
- T4 (High/Likely): API credential leakage into agent subprocess env
- T5 (Medium/Likely): DNS rebinding bypass in SSRF protection for image URL token counting
- T7 (Medium/Likely): symlink path traversal in FilesystemFileSearchMiddleware

AI-generated with human review required.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added documentation Improvements or additions to documentation internal size: M 200-499 LOC labels Mar 27, 2026
mdrxy
Mason Daugherty (mdrxy) reviewed Mar 31, 2026
View reviewed changes
Comment thread THREAT_MODEL.md
@@ -0,0 +1,357 @@
# Threat Model: langchain-ai/langchain

> Generated: 2026-03-27 | Commit: 494b760028 | Scope: /workspace/langchain (full monorepo) | Visibility: Open Source | Mode: deep
Copy link
Copy Markdown
Member

@mdrxy Mason Daugherty (mdrxy) Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not version these

@0xbrainkid
Copy link
Copy Markdown

0xbrainkid commented Apr 14, 2026

This threat model is an excellent starting point and the AI-agent-specific data flows (DF6/DF7/DF8) correctly identify where trust decisions need to happen.

One gap worth considering as a distinct threat: cross-organizational agent identity (T9). The current threats address the LangChain agent operating within a known trust boundary (the developer controls the environment). But production LangChain agents increasingly call external agents, tools, and APIs that they did not provision — and those external agents may impersonate legitimate counterparts.

Concrete scenario: A LangChain agent delegates a subtask to an external "billing tool" agent. Current threat model covers T4 (prompt injection) and T5 (malicious tool output). But if the external agent itself presents a falsified identity — claiming to be a verified financial processor when it is not — there is no model threat for that. This is distinct from prompt injection: it is identity fraud at the agent-to-agent handshake layer.

A potential T9 addition:

T9: External Agent Identity Spoofing
Affected components: C6 (LLM), C7 (Memory), C9 (External APIs/Tools)
Trust boundary: TB4 (LangChain ↔ External APIs)
Mitigations: 
  - Require W3C DID or on-chain attestation for external agent handshakes
  - Verify trust score before tool invocation (SATP, AgentScore)
  - Reject delegation to agents with no verifiable behavioral history

Happy to draft formal threat entry language if this direction is useful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdrxy Mason Daugherty (mdrxy) mdrxy left review comments

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation internal size: M 200-499 LOC

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkennedyvz @0xbrainkid @mdrxy