By rssfeeds-admin Security researcher Yarden Porat discovered CVE-2025-68664, a vulnerability residing in langchain-core that exploits how the framework handles internal serialization markers, as reported by Cyata Ai.
The flaw received a CVSS score of 9.3, indicating critical severity.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-68664 |
| Vulnerability type | Serialization Injection |
| CVSS Score | 9.3 (Critical) |
The Vulnerability Explained
LangChain uses a special internal serialization format where dictionaries containing an ‘lc’ marker represent LangChain objects.
The core issue stemmed from the dumps() and dumpd() functions failing to properly escape user-controlled dictionaries that included this reserved ‘lc’ key.
When attackers inject dictionaries with ‘lc’ keys into user-controlled fields such as additional_kwargs or response_metadata, these structures are treated as legitimate LangChain objects during deserialization rather than as plain user data.
This misidentification enables attackers to instantiate arbitrary objects within trusted namespaces, potentially triggering dangerous side effects.
The vulnerability affects multiple common LangChain workflows, including event streaming, logging, message history management, and caching.
Researchers identified 12 distinct vulnerable flows where exploitation could occur.
The most severe outcomes include extraction of secrets from environment variables (particularly when secrets_from_env=True, which was the default setting until the patch) and instantiation of objects that trigger network calls, file operations, or other constructor side effects.
Under specific conditions, attackers could potentially achieve arbitrary code execution.
The vulnerability proved particularly dangerous because prompt injection attacks could influence LLM outputs in fields that later undergo serialization and deserialization, creating an indirect exploitation path.
Attackers could exfiltrate credentials by instantiating classes like ChatBedrockConverse from langchain_aws, which makes GET requests during construction with attacker-controlled endpoints.
LangChain released patches in versions 1.2.5 and 0.3.81 that fix the escaping bug and introduce significant security hardening measures.
The updates changed default behaviors, including setting allowed_objects=”core” to enforce allowlists, changing secrets_from_env from True to False, and implementing default Jinja2 template blocking.
The LangChain team awarded a $4,000 bounty for this finding the maximum amount ever awarded in the project’s history. Organizations running LangChain in production environments should update immediately to mitigate this critical vulnerability.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post Critical LangChain Vulnerability Exposes API Keys and Sensitive Credentials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.