Search criteria
4 vulnerabilities found for langchain by langchain-ai
CVE-2025-68664 (GCVE-0-2025-68664)
Vulnerability from nvd – Published: 2025-12-23 22:47 – Updated: 2025-12-24 14:40
VLAI?
Title
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
Summary
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Severity ?
9.3 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
>= 1.0.0, < 1.2.5
Affected: < 0.3.81 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68664",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T14:40:55.506059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T14:40:58.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.2.5"
},
{
"status": "affected",
"version": "\u003c 0.3.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain\u0027s dumps() and dumpd() functions. The functions do not escape dictionaries with \u0027lc\u0027 keys when serializing free-form dictionaries. The \u0027lc\u0027 key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T22:47:44.084Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/34455",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/34455"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/34458",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/34458"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5"
}
],
"source": {
"advisory": "GHSA-c67j-w6g6-q2cm",
"discovery": "UNKNOWN"
},
"title": "LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68664",
"datePublished": "2025-12-23T22:47:44.084Z",
"dateReserved": "2025-12-22T23:28:02.917Z",
"dateUpdated": "2025-12-24T14:40:58.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65106 (GCVE-0-2025-65106)
Vulnerability from nvd – Published: 2025-11-21 21:43 – Updated: 2025-11-21 21:53
VLAI?
Title
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
Summary
LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
>= 1.0.0, < 1.0.7
Affected: < 0.3.80 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T21:53:02.259742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T21:53:19.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.0.7"
},
{
"status": "affected",
"version": "\u003c 0.3.80"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain\u0027s prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T21:43:02.461Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00"
}
],
"source": {
"advisory": "GHSA-6qv9-48xg-fc7f",
"discovery": "UNKNOWN"
},
"title": "LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65106",
"datePublished": "2025-11-21T21:43:02.461Z",
"dateReserved": "2025-11-17T20:55:34.694Z",
"dateUpdated": "2025-11-21T21:53:19.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68664 (GCVE-0-2025-68664)
Vulnerability from cvelistv5 – Published: 2025-12-23 22:47 – Updated: 2025-12-24 14:40
VLAI?
Title
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
Summary
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Severity ?
9.3 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
>= 1.0.0, < 1.2.5
Affected: < 0.3.81 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68664",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T14:40:55.506059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T14:40:58.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.2.5"
},
{
"status": "affected",
"version": "\u003c 0.3.81"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain\u0027s dumps() and dumpd() functions. The functions do not escape dictionaries with \u0027lc\u0027 keys when serializing free-form dictionaries. The \u0027lc\u0027 key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T22:47:44.084Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/34455",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/34455"
},
{
"name": "https://github.com/langchain-ai/langchain/pull/34458",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/pull/34458"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81"
},
{
"name": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5"
}
],
"source": {
"advisory": "GHSA-c67j-w6g6-q2cm",
"discovery": "UNKNOWN"
},
"title": "LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68664",
"datePublished": "2025-12-23T22:47:44.084Z",
"dateReserved": "2025-12-22T23:28:02.917Z",
"dateUpdated": "2025-12-24T14:40:58.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65106 (GCVE-0-2025-65106)
Vulnerability from cvelistv5 – Published: 2025-11-21 21:43 – Updated: 2025-11-21 21:53
VLAI?
Title
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
Summary
LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| langchain-ai | langchain |
Affected:
>= 1.0.0, < 1.0.7
Affected: < 0.3.80 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T21:53:02.259742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T21:53:19.566Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "langchain",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c 1.0.7"
},
{
"status": "affected",
"version": "\u003c 0.3.80"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain\u0027s prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T21:43:02.461Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a"
},
{
"name": "https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00"
}
],
"source": {
"advisory": "GHSA-6qv9-48xg-fc7f",
"discovery": "UNKNOWN"
},
"title": "LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65106",
"datePublished": "2025-11-21T21:43:02.461Z",
"dateReserved": "2025-11-17T20:55:34.694Z",
"dateUpdated": "2025-11-21T21:53:19.566Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}