A vital safety vulnerability in LangChain, one of many world’s most generally deployed AI frameworks, permits attackers to extract setting variable secrets and techniques and, by a serialization injection flaw, probably obtain code execution.
The vulnerability, recognized as CVE-2025-68664, impacts the core langchain-core library and was disclosed on December 25, 2024, by safety researcher Yarden Porat from Cyata.
Vulnerability Overview
The vulnerability stems from improper dealing with of serialization features, dumps(), and dumpd() in langchain-core.
| Attribute | Particulars |
|---|---|
| CVE ID | CVE-2025-68664 |
| GHSA ID | GHSA-c67j-w6g6-q2cm |
| CVSS Rating | 9.3 (Crucial) |
These features failed to flee user-controlled dictionaries containing the reserved ‘lc’ key, which LangChain makes use of internally to mark serialized objects.
When attacker-controlled information consists of this key construction, it’s handled as a reliable LangChain object throughout deserialization somewhat than plain consumer information.
The vulnerability impacts purposes that use customary LangChain options, together with astream_events(model=”v1″), Runnable: astream_log(), RunnableWithMessageHistory, and varied caching mechanisms.
Essentially the most harmful assault path entails immediate injection by way of LLM response fields akin to additional_kwargs or response_metadata, which will be serialized and deserialized by way of customary streaming operations.
Profitable exploitation permits attackers to extract setting variable secrets and techniques by injecting constructions like {“lc”: 1, “kind”: “secret”, “id”: [“ENV_VAR”]} throughout deserialization when secrets_from_env=True (the earlier default setting).
Attackers may also instantiate courses with managed parameters inside trusted namespaces, probably triggering community calls, file operations, or code execution by Jinja2 template rendering.
LangChain has launched patches in variations 1.2.5 and 0.3.81 that repair the escaping bug and introduce restrictive defaults.
The allowed_objects parameter now defaults to ‘core’ (limiting deserialization to core objects), secrets_from_env modified from True to False, and Jinja2 templates at the moment are blocked by default by a brand new init_validator parameter.
Most customers deserializing customary LangChain varieties will expertise no disruption, however customized implementations might require code changes.
Organizations working LangChain in manufacturing ought to replace instantly, because the framework has recorded roughly 847 million whole downloads, together with 98 million within the final month alone.
LangChain awarded a $4,000 bounty for this discovering the utmost ever awarded within the venture.
Comply with us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most well-liked Supply in Google.
