CVE-2025-65106
published 2025-11-21CVE-2025-65106: LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection…
PriorityP350high8.3CVSS 4.0
AVNACLATPPRNUINVCHVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.47%
36.9th percentile
LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langchain-ai | langchain | < 0.3.80 | 0.3.80 |
| langchain-ai | langchain | — | — |
CVSS provenance
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
langchain-core: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
vendor_redhat·2025-11-21·CVSS 8.3
CVE-2025-65106 [HIGH] CWE-1336 langchain-core: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
langchain-core: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7.
A template-injection vulnerability in LangChain's prompt template system allowed untrusted template strings to access Python object internals through attribute traversal and indexing. B
OSV
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
osv·2025-11-20
CVE-2025-65106 [HIGH] LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
## Context
A template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept **untrusted template strings** (not just template variables) in `ChatPromptTemplate` and related prompt template classes.
Templates allow attribute access (`.`) and indexing (`[]`) but not method invocation (`()`).
The combination of attribute access and indexing may enable exploitation depending on which objects are passed to templates. When template variables are simple strings (the common case), the impact is limited. However, when using `MessagesPlaceholder` with chat message obj
GHSA
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
ghsa·2025-11-20
CVE-2025-65106 [HIGH] CWE-1336 LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
## Context
A template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept **untrusted template strings** (not just template variables) in `ChatPromptTemplate` and related prompt template classes.
Templates allow attribute access (`.`) and indexing (`[]`) but not method invocation (`()`).
The combination of attribute access and indexing may enable exploitation depending on which objects are passed to templates. When template variables are simple strings (the common case), the impact is limited. However, when using `MessagesPlaceholder` with chat message obj
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-21
Published