Load LangChain objects from JSON strings or objects.
WARNING: load() deserializes data by instantiating classes and invoking
constructors. Never call load() on untrusted or user-supplied input.
Doing so can lead to insecure deserialization — including arbitrary class
instantiation, secret exfiltration, and server-side request forgery (SSRF).
Only deserialize data that originates from a trusted source you control.
How it works
Each Serializable LangChain object has a unique identifier (its "class path"),
which is a list of strings representing the module path and class name. For example:
AIMessage -> ["langchain_core", "messages", "ai", "AIMessage"]ChatPromptTemplate -> ["langchain_core", "prompts", "chat", "ChatPromptTemplate"]
When deserializing, the class path is validated against supported namespaces.
Threat model
A serialized LangChain payload crosses a trust boundary because the manifest
may contain serialized objects and configuration that affect runtime behavior.
For example, a payload can configure a chat model with a custom base_url,
custom headers, a different model name, or other constructor arguments. These
are supported features, but they also mean the payload contents should be
treated as executable configuration rather than plain text.
Concretely, deserialization instantiates classes, so any constructor on an
allowed class will run during load(). A crafted payload that is allowed to
reach an unintended class — or an intended class with attacker-controlled
kwargs — could cause network calls, file operations, or environment-variable
access while the object is being built.
Security model
The secretsFromEnv parameter controls whether secrets can be loaded from environment
variables:
false (default): Secrets must be provided in secretsMap. If a secret is not
found, null is returned instead of loading from environment variables.true: If a secret is not found in secretsMap, it will be loaded from
environment variables. Use this only in trusted environments.
Hardening recommendations
- Never enable
secretsFromEnv unless the serialized data is fully trusted.
A crafted payload can reference arbitrary environment variable names, leaking
secrets to an attacker-controlled class constructor.
- Keep
secretsMap minimal. Only include the specific secrets the serialized
object actually needs.
- Keep
importMap / optionalImportsMap as small and static as possible.
Each entry widens the set of classes an attacker can instantiate. Never
populate these maps from user input.
Injection protection (escape-based)
During serialization, plain objects that contain an 'lc' key are escaped by wrapping
them: {"__lc_escaped__": {...}}. During deserialization, escaped objects are unwrapped
and returned as plain objects, NOT instantiated as LC objects.
This is an allowlist approach: only objects explicitly produced by
Serializable.toJSON() (which are NOT escaped) are treated as LC objects;
everything else is user data.
