LangChain Core Serialization Injection Vulnerability (CVE-2025-68664)
Summary
Hide ▲
Show ▼
A critical serialization injection vulnerability in LangChain Core (CVE-2025-68664) allows attackers to steal secrets and manipulate LLM responses. The flaw, dubbed LangGrinch, arises from improper escaping of dictionaries with 'lc' keys during serialization. The vulnerability affects multiple versions of LangChain Core and LangChain.js, with patches available. The issue enables secret extraction from environment variables, instantiation of classes in trusted namespaces, and potential arbitrary code execution via Jinja2 templates. The patch introduces restrictive defaults and blocks Jinja2 templates by default. The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.
Timeline
-
26.12.2025 11:27 1 articles · 23h ago
Critical LangChain Core Serialization Injection Vulnerability Disclosed
A critical serialization injection vulnerability in LangChain Core (CVE-2025-68664) allows attackers to steal secrets and manipulate LLM responses. The flaw, dubbed LangGrinch, arises from improper escaping of dictionaries with 'lc' keys during serialization. The vulnerability affects multiple versions of LangChain Core and LangChain.js, with patches available. The issue enables secret extraction from environment variables, instantiation of classes in trusted namespaces, and potential arbitrary code execution via Jinja2 templates. The patch introduces restrictive defaults and blocks Jinja2 templates by default. The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.
Show sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
Information Snippets
-
LangChain Core (langchain-core) is a core Python package providing interfaces and abstractions for LLM-powered applications.
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
-
The vulnerability, CVE-2025-68664, has a CVSS score of 9.3 out of 10.0.
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
-
The flaw is due to the dumps() and dumpd() functions not escaping dictionaries with 'lc' keys during serialization.
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
-
The 'lc' key is used internally by LangChain to mark serialized objects.
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
-
The vulnerability allows secret extraction, instantiation of classes in trusted namespaces, and potential arbitrary code execution via Jinja2 templates.
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
-
The patch introduces restrictive defaults in load() and loads() functions, blocks Jinja2 templates by default, and sets 'secrets_from_env' to 'False'.
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
-
Affected versions of langchain-core include >= 1.0.0, < 1.2.5 (fixed in 1.2.5) and < 0.3.81 (fixed in 0.3.81).
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
-
A similar vulnerability, CVE-2025-68665, affects LangChain.js with a CVSS score of 8.6.
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
-
Affected versions of LangChain.js include @langchain/core >= 1.0.0, < 1.1.8 (fixed in 1.1.8), @langchain/core < 0.3.80 (fixed in 0.3.80), langchain >= 1.0.0, < 1.2.3 (fixed in 1.2.3), and langchain < 0.3.37 (fixed in 0.3.37).
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
-
The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.
First reported: 26.12.2025 11:271 source, 1 articleShow sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection — thehackernews.com — 26.12.2025 11:27
Similar Happenings
High-Severity Memory-Read Flaw in MongoDB Requires Immediate Patching
MongoDB has disclosed a high-severity flaw (CVE-2025-14847) affecting multiple versions of its database software. The vulnerability, which allows unauthenticated attackers to read uninitialized heap memory, stems from improper handling of length parameter inconsistencies in the zlib compression implementation. Admins are urged to upgrade to patched versions immediately or disable zlib compression as a temporary mitigation. The flaw has not been officially classified as an RCE, but it poses significant risks. The U.S. CISA previously added another MongoDB RCE flaw (CVE-2019-10758) to its list of known exploited vulnerabilities, highlighting the ongoing risks associated with MongoDB instances.