RHSA-2026:1610
Vulnerability from csaf_redhat - Published: 2026-01-30 18:51 - Updated: 2026-03-23 17:12Summary
Red Hat Security Advisory: Red Hat OpenShift Lightspeed 1.0.9 security update
Severity
Critical
Notes
Topic: Red Hat OpenShift Lightspeed 1.0.9 operand images, which provide security fixes
and container updates.
Details: Red Hat OpenShift Lightspeed is a generative AI-based virtual assistant integrated
into the OpenShift console. It can answer questions related to OpenShift and layered
offerings.
Security Fix(es):
langchain-core: LangChain: Arbitrary code execution via serialization injection (CVE-2025-68664)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.`
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in LangChain, a framework for building agents and LLM-powered applications. A remote attacker can exploit a serialization injection vulnerability in LangChain's `dumps()` and `dumpd()` functions. This occurs because the functions do not properly escape dictionaries containing the internal 'lc' key during serialization. When user-controlled data includes this key structure, it is incorrectly processed as a legitimate LangChain object during deserialization, potentially leading to arbitrary code execution.
9.3 (Critical)
Vendor Fix
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2026:1610
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Lightspeed 1.0.9 operand images, which provide security fixes\nand container updates.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Lightspeed is a generative AI-based virtual assistant integrated\ninto the OpenShift console. It can answer questions related to OpenShift and layered\nofferings.\nSecurity Fix(es):\nlangchain-core: LangChain: Arbitrary code execution via serialization injection (CVE-2025-68664)\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.`",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:1610",
"url": "https://access.redhat.com/errata/RHSA-2026:1610"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-68664",
"url": "https://access.redhat.com/security/cve/CVE-2025-68664"
},
{
"category": "external",
"summary": "https://docs.openshift.com/lightspeed/1.0tp1/about/ols-about-openshift-lightspeed.html",
"url": "https://docs.openshift.com/lightspeed/1.0tp1/about/ols-about-openshift-lightspeed.html"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_1610.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Lightspeed 1.0.9 security update",
"tracking": {
"current_release_date": "2026-03-23T17:12:12+00:00",
"generator": {
"date": "2026-03-23T17:12:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2026:1610",
"initial_release_date": "2026-01-30T18:51:47+00:00",
"revision_history": [
{
"date": "2026-01-30T18:51:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-02-11T21:09:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-23T17:12:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Lightspeed 1.0.11",
"product": {
"name": "Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_lightspeed:1::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Lightspeed"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:eae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783_amd64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:eae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783_amd64",
"product_id": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:eae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783_amd64",
"product_identification_helper": {
"purl": "pkg:oci/lightspeed-console-plugin-rhel9@sha256%3Aeae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783?arch=amd64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769776075"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673_amd64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673_amd64",
"product_id": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673_amd64",
"product_identification_helper": {
"purl": "pkg:oci/lightspeed-console-plugin-pf5-rhel9@sha256%3A467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673?arch=amd64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769780437"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-ocp-rag-rhel9@sha256:2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302_amd64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-ocp-rag-rhel9@sha256:2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302_amd64",
"product_id": "registry.redhat.io/openshift-lightspeed/lightspeed-ocp-rag-rhel9@sha256:2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302_amd64",
"product_identification_helper": {
"purl": "pkg:oci/lightspeed-ocp-rag-rhel9@sha256%3A2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302?arch=amd64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769584348"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:b66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821_amd64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:b66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821_amd64",
"product_id": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:b66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821_amd64",
"product_identification_helper": {
"purl": "pkg:oci/lightspeed-service-api-rhel9@sha256%3Ab66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821?arch=amd64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769058587"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9@sha256:e4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa_amd64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9@sha256:e4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa_amd64",
"product_id": "registry.redhat.io/openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9@sha256:e4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa_amd64",
"product_identification_helper": {
"purl": "pkg:oci/lightspeed-to-dataverse-exporter-rhel9@sha256%3Ae4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa?arch=amd64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769778589"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e_amd64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e_amd64",
"product_id": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-mcp-server-rhel9@sha256%3A6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769752297"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7_arm64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7_arm64",
"product_id": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7_arm64",
"product_identification_helper": {
"purl": "pkg:oci/lightspeed-console-plugin-rhel9@sha256%3A0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7?arch=arm64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769776075"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93_arm64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93_arm64",
"product_id": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93_arm64",
"product_identification_helper": {
"purl": "pkg:oci/lightspeed-console-plugin-pf5-rhel9@sha256%3A3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93?arch=arm64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769780437"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621_arm64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621_arm64",
"product_id": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621_arm64",
"product_identification_helper": {
"purl": "pkg:oci/lightspeed-service-api-rhel9@sha256%3A23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621?arch=arm64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769058587"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:b00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e_arm64",
"product": {
"name": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:b00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e_arm64",
"product_id": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:b00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-mcp-server-rhel9@sha256%3Ab00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e?arch=arm64\u0026repository_url=registry.redhat.io/openshift-lightspeed\u0026tag=1769752297"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93_arm64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93_arm64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93_arm64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673_amd64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673_amd64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673_amd64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7_arm64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7_arm64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7_arm64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:eae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783_amd64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:eae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783_amd64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:eae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783_amd64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-ocp-rag-rhel9@sha256:2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302_amd64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-ocp-rag-rhel9@sha256:2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302_amd64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/lightspeed-ocp-rag-rhel9@sha256:2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302_amd64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621_arm64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621_arm64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621_arm64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:b66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821_amd64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:b66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821_amd64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:b66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821_amd64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9@sha256:e4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa_amd64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9@sha256:e4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa_amd64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9@sha256:e4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa_amd64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e_amd64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e_amd64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e_amd64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:b00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e_arm64 as a component of Red Hat OpenShift Lightspeed 1.0.11",
"product_id": "Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:b00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e_arm64"
},
"product_reference": "registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:b00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e_arm64",
"relates_to_product_reference": "Red Hat OpenShift Lightspeed 1.0.11"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-68664",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2025-12-23T23:00:49.746016+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93_arm64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7_arm64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:eae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-ocp-rag-rhel9@sha256:2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9@sha256:e4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:b00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e_arm64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2424790"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in LangChain, a framework for building agents and LLM-powered applications. A remote attacker can exploit a serialization injection vulnerability in LangChain\u0027s `dumps()` and `dumpd()` functions. This occurs because the functions do not properly escape dictionaries containing the internal \u0027lc\u0027 key during serialization. When user-controlled data includes this key structure, it is incorrectly processed as a legitimate LangChain object during deserialization, potentially leading to arbitrary code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "langchain-core: LangChain: Arbitrary code execution via serialization injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Critical for Red Hat products. A serialization injection flaw in LangChain\u0027s `dumps()` and `dumpd()` functions allows remote attackers to achieve arbitrary code execution. This occurs when user-controlled data containing the internal \u0027lc\u0027 key is improperly deserialized as a legitimate LangChain object.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621_arm64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:b66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821_amd64"
],
"known_not_affected": [
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93_arm64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7_arm64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:eae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-ocp-rag-rhel9@sha256:2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9@sha256:e4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:b00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-68664"
},
{
"category": "external",
"summary": "RHBZ#2424790",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2424790"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-68664",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68664"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-68664",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68664"
},
{
"category": "external",
"summary": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8",
"url": "https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8"
},
{
"category": "external",
"summary": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6",
"url": "https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6"
},
{
"category": "external",
"summary": "https://github.com/langchain-ai/langchain/pull/34455",
"url": "https://github.com/langchain-ai/langchain/pull/34455"
},
{
"category": "external",
"summary": "https://github.com/langchain-ai/langchain/pull/34458",
"url": "https://github.com/langchain-ai/langchain/pull/34458"
},
{
"category": "external",
"summary": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81",
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81"
},
{
"category": "external",
"summary": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5",
"url": "https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5"
},
{
"category": "external",
"summary": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm",
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm"
}
],
"release_date": "2025-12-23T22:47:44.084000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-01-30T18:51:47+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621_arm64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:b66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:1610"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:3ac83417d72cf2b38a39df24bc1a3a912d71d7045cb9d85f5763337a000f8b93_arm64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9@sha256:467aac9c025a05a567465a2948fef358b9754de6d38a2615c1d6c0eec1885673_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:0a828314e37381bcca30b9a4f628a2dd4144422004625c6fba512dbe7db18bf7_arm64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-rhel9@sha256:eae3fe71c6bca8f5f887eb3522e48a46c290ccb93ea7b1c6e6f67afac2735783_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-ocp-rag-rhel9@sha256:2994e8938525281d5444ca4e0fee846f42048bd687a20119747f0532b6623302_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:23af5c023d054ad9f607f4a8df270c01607a7ace1acd328b5c3702e32dccb621_arm64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-service-api-rhel9@sha256:b66f6af7bbabeff59290842e6a72229f088293675091a019a86a5d23d1e9e821_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/lightspeed-to-dataverse-exporter-rhel9@sha256:e4c636d398654fa0cb60f13beec1cbfb8bc6498cc67c420f9b53edcb06f6ffaa_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:6c25fef6a572ae0d8fcaf028a2f4e899dc7e1f7da694a6c60d225ac072bcba2e_amd64",
"Red Hat OpenShift Lightspeed 1.0.11:registry.redhat.io/openshift-lightspeed/openshift-mcp-server-rhel9@sha256:b00fcd93824bca75c018f2d0e33b74dd964c4d7810a5c04f5dda4de9b2e3694e_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "langchain-core: LangChain: Arbitrary code execution via serialization injection"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…