cbcvebase.
CVE-2025-68664
published 2025-12-23

CVE-2025-68664: LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists…

PriorityP269high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EXPLOIT
EPSS
13.83%
96.1th percentile
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Affected

4 ranges
VendorProductVersion rangeFixed in
langchain-ailangchain< 0.3.810.3.81
langchain-ailangchain
langchainlangchain_core< 0.3.810.3.81
langchainlangchain_core>= 1.0.0 < 1.2.51.2.5

Detection & IOCsextracted from sources · hover to see the quote

command{{ config.get('callbacks', {}).get('__builtins__', {}).get('__import__', lambda x: __import__(x))('os').system('id') }}
otherpayload={"exploit":{"lc":1,"type":"constructor","id":["langchain_core","prompts","prompt","PromptTemplate"],"kwargs":{"input_variables":[],"template":"...","template_format":"jinja2"}}}
  • Detect deserialization payloads containing the 'lc' key with value 1 and 'type': 'constructor' in user-controlled input passed to LangChain's dumps()/dumpd()/load() functions — this is the hallmark of CVE-2025-68664 exploitation.
  • Alert on user-supplied dictionaries containing the nested key structure {'lc': 1, 'type': 'constructor', 'id': [...]} reaching LangChain serialization/deserialization code paths.
  • Watch for secrets_from_env=True being used in load() calls combined with externally sourced serialized data, as this allows the exploit to exfiltrate environment variables and API keys.
  • Flag any LangChain deployment running langchain-core versions < 0.3.81 or < 1.2.5 as vulnerable; prioritize patching given active PoC exploit availability.
  • ·The vulnerability is only exploitable when user-controlled data is passed into LangChain's dumps()/dumpd() serialization functions and subsequently deserialized via load()/loads(). Applications that do not pass untrusted user input through these functions are not directly at risk.
  • ·The exploit demonstrated uses secrets_from_env=True in the load() call, meaning environment variable/API key exfiltration is contingent on this flag being enabled in the target application.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.