Module●Since v1.0

load

Load LangChain objects from JSON strings or objects.

WARNING: load() deserializes data by instantiating classes and invoking constructors. Never call load() on untrusted or user-supplied input. Doing so can lead to insecure deserialization — including arbitrary class instantiation, secret exfiltration, and server-side request forgery (SSRF). Only deserialize data that originates from a trusted source you control.

How it works

Each Serializable LangChain object has a unique identifier (its "class path"), which is a list of strings representing the module path and class name. For example:

AIMessage -> ["langchain_core", "messages", "ai", "AIMessage"]
ChatPromptTemplate -> ["langchain_core", "prompts", "chat", "ChatPromptTemplate"]

When deserializing, the class path is validated against supported namespaces.

Security model

The secretsFromEnv parameter controls whether secrets can be loaded from environment variables:

false (default): Secrets must be provided in secretsMap. If a secret is not found, null is returned instead of loading from environment variables.
true: If a secret is not found in secretsMap, it will be loaded from environment variables. Use this only in trusted environments.

Hardening recommendations

Never enable secretsFromEnv unless the serialized data is fully trusted. A crafted payload can reference arbitrary environment variable names, leaking secrets to an attacker-controlled class constructor.
Keep secretsMap minimal. Only include the specific secrets the serialized object actually needs.
Keep importMap / optionalImportsMap as small and static as possible. Each entry widens the set of classes an attacker can instantiate. Never populate these maps from user input.

Injection protection (escape-based)

During serialization, plain objects that contain an 'lc' key are escaped by wrapping them: {"__lc_escaped__": {...}}. During deserialization, escaped objects are unwrapped and returned as plain objects, NOT instantiated as LC objects.

This is an allowlist approach: only objects explicitly produced by Serializable.toJSON() (which are NOT escaped) are treated as LC objects; everything else is user data.

import { ... } from "@langchain/core/load";

Functions

function

load→ Promise<T>

Load a LangChain object from a JSON string.

WARNING — insecure deserialization risk. This function instantiates classes and invokes constructors based on the contents of text. If text originates from an untrusted source, an attacker can craft a payload that instantiates arbitrary allowed classes with attacker-controlled arguments, potentially causing secret exfiltration, SSRF, or other side effects.

Only call load() on data you have produced yourself or received from a fully trusted origin (e.g., your own database). Never deserialize user-supplied or network-received JSON without independent validation.

Interfaces

interface

LoadOptions

Options for loading serialized LangChain objects.

View source on GitHub

load

Load LangChain objects from JSON strings or objects.

How it works

Each Serializable LangChain object has a unique identifier (its "class path"), which is a list of strings representing the module path and class name. For example:

AIMessage -> ["langchain_core", "messages", "ai", "AIMessage"]
ChatPromptTemplate -> ["langchain_core", "prompts", "chat", "ChatPromptTemplate"]

When deserializing, the class path is validated against supported namespaces.

Security model

The secretsFromEnv parameter controls whether secrets can be loaded from environment variables:

false (default): Secrets must be provided in secretsMap. If a secret is not found, null is returned instead of loading from environment variables.
true: If a secret is not found in secretsMap, it will be loaded from environment variables. Use this only in trusted environments.

Hardening recommendations

Never enable secretsFromEnv unless the serialized data is fully trusted. A crafted payload can reference arbitrary environment variable names, leaking secrets to an attacker-controlled class constructor.
Keep secretsMap minimal. Only include the specific secrets the serialized object actually needs.
Keep importMap / optionalImportsMap as small and static as possible. Each entry widens the set of classes an attacker can instantiate. Never populate these maps from user input.

Injection protection (escape-based)

This is an allowlist approach: only objects explicitly produced by Serializable.toJSON() (which are NOT escaped) are treated as LC objects; everything else is user data.

load

How it works

Security model

Hardening recommendations

Injection protection (escape-based)

Functions

Interfaces

LangChain Assistant

Menu

load

How it works

Security model

Hardening recommendations

Injection protection (escape-based)

Functions

Interfaces