CVE-2025-68664
published 2025-12-23CVE-2025-68664: LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists…
PriorityP269high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EXPLOIT
EPSS
13.83%
96.1th percentile
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langchain-ai | langchain | < 0.3.81 | 0.3.81 |
| langchain-ai | langchain | — | — |
| langchain | langchain_core | < 0.3.81 | 0.3.81 |
| langchain | langchain_core | >= 1.0.0 < 1.2.5 | 1.2.5 |
Detection & IOCsextracted from sources · hover to see the quote
command{{ config.get('callbacks', {}).get('__builtins__', {}).get('__import__', lambda x: __import__(x))('os').system('id') }}↗
otherpayload={"exploit":{"lc":1,"type":"constructor","id":["langchain_core","prompts","prompt","PromptTemplate"],"kwargs":{"input_variables":[],"template":"...","template_format":"jinja2"}}}↗
- →Detect deserialization payloads containing the 'lc' key with value 1 and 'type': 'constructor' in user-controlled input passed to LangChain's dumps()/dumpd()/load() functions — this is the hallmark of CVE-2025-68664 exploitation. ↗
- →Alert on user-supplied dictionaries containing the nested key structure {'lc': 1, 'type': 'constructor', 'id': [...]} reaching LangChain serialization/deserialization code paths. ↗
- →Watch for secrets_from_env=True being used in load() calls combined with externally sourced serialized data, as this allows the exploit to exfiltrate environment variables and API keys. ↗
- →Flag any LangChain deployment running langchain-core versions < 0.3.81 or < 1.2.5 as vulnerable; prioritize patching given active PoC exploit availability. ↗
- ·The vulnerability is only exploitable when user-controlled data is passed into LangChain's dumps()/dumpd() serialization functions and subsequently deserialized via load()/loads(). Applications that do not pass untrusted user input through these functions are not directly at risk. ↗
- ·The exploit demonstrated uses secrets_from_env=True in the load() call, meaning environment variable/API key exfiltration is contingent on this flag being enabled in the target application. ↗
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
langchain-core: LangChain: Arbitrary code execution via serialization injection
vendor_redhat·2025-12-23·CVSS 9.3
CVE-2025-68664 [CRITICAL] CWE-502 langchain-core: LangChain: Arbitrary code execution via serialization injection
langchain-core: LangChain: Arbitrary code execution via serialization injection
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
A flaw was found in LangChain, a framework for building agents and LLM-powered applications. A remote attacker can exploit a seriali
OSV
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
osv·2025-12-23
CVE-2025-68664 [CRITICAL] LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
## Summary
A serialization injection vulnerability exists in LangChain's `dumps()` and `dumpd()` functions. The functions do not escape dictionaries with `'lc'` keys when serializing free-form dictionaries. The `'lc'` key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.
### Attack surface
The core vulnerability was in `dumps()` and `dumpd()`: these functions failed to escape user-controlled dictionaries containing `'lc'` keys. When this unescaped data was later deserialized via `load()` or `loads()`, the injected structures were tr
GHSA
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
ghsa·2025-12-23
CVE-2025-68664 [CRITICAL] CWE-502 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
## Summary
A serialization injection vulnerability exists in LangChain's `dumps()` and `dumpd()` functions. The functions do not escape dictionaries with `'lc'` keys when serializing free-form dictionaries. The `'lc'` key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.
### Attack surface
The core vulnerability was in `dumps()` and `dumpd()`: these functions failed to escape user-controlled dictionaries containing `'lc'` keys. When this unescaped data was later deserialized via `load()` or `loads()`, the injected structures were tr
No detection rules found.
Hackernews
LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
blogs_hackernews·2026-03-27·CVSS 7.3
[HIGH] LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history.
Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of LangChain for more sophisticated and non-linear agentic workflows. According to statistics on the Python Package Index (PyPI), LangChain, LangChain-Core,
Checkpoint
29th December – Threat Intelligence Report
blogs_checkpoint·2025-12-29
CVE-2025-14847 29th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th December, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Romanian Waters, the country’s national water management authority, was hit by a ransomware attack that resulted in nearly 1,000 computer systems across national and regional offices being encrypted. The attack affected geographic information systems, databases, email, web servers, and Windows workstations. Operational
Wiz
CVE-2025-68664 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-68664 [CRITICAL] CVE-2025-68664 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68664 :
Python vulnerability analysis and mitigation
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Source : NVD
## 8.2
Score
Published December 23, 2025
Severity HIGH
CNA Score 9.3
High-profile Vulnerability Yes
Affected Technologies
P
https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6https://github.com/langchain-ai/langchain/pull/34455https://github.com/langchain-ai/langchain/pull/34458https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cmhttps://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm
2025-12-23
Published