CVE-2025-68664
Serialization Injection vulnerability in langchain-core (PyPI)
What is CVE-2025-68664 About?
This is a serialization injection vulnerability in LangChain's Python `dumps()` and `dumpd()` functions, where user-controlled data containing the internal `'lc'` key structure is not properly escaped during serialization. Successful exploitation allows attackers to inject malicious LangChain objects during deserialization, leading to sensitive information disclosure (like environment variables) or the instantiation of classes with side effects within trusted namespaces. Exploitation requires the application to serialize and deserialize untrusted data.
Affected Software
- langchain-core
- <0.3.81
- >=1.0.0, <1.2.5
Technical Details
The core of this vulnerability lies in the dumps() and dumpd() functions within LangChain's Python library. These functions fail to properly escape dictionaries that contain the 'lc' key when serializing free-form data. The 'lc' key is an internal marker used by LangChain to identify serialized objects. When user-controlled input, such as data from LLM responses or metadata fields, contains a dictionary with an 'lc' key (e.g., {"lc": 1, "type": "secret", "id": ["ENV_VAR"]}), the serialization process treats this as a legitimate LangChain object structure rather than plain user data. Upon subsequent deserialization using load() or loads(), the injected structure is interpreted as an actual LangChain object. This allows an attacker to inject arbitrary Serializable subclass instantiation within pre-approved trusted namespaces (langchain_core, langchain, langchain_community), potentially triggering side effects such as network calls or file operations. Furthermore, if the secrets_from_env parameter is set to True (which was the default prior to the patch), attackers can inject secret structures to extract environment variables from the running application.
What is the Impact of CVE-2025-68664?
Successful exploitation may allow attackers to disclose sensitive environment variables, instantiate arbitrary classes within trusted namespaces with attacker-controlled parameters, and potentially trigger unintended side effects like network requests or file operations.
What is the Exploitability of CVE-2025-68664?
Exploitation of this vulnerability is moderately complex, primarily requiring the attacker to control data that will be serialized and subsequently deserialized by a vulnerable LangChain application. There are no authentication requirements for the vulnerability itself, but the attacker needs to interact with an application that uses the vulnerable serialization/deserialization methods, typically via user inputs or LLM response fields (e.g., additional_kwargs, response_metadata). Local or remote access depends on the application's nature; if it's a web application, remote exploitation is possible. Key prerequisites include the application using dumps() or dumpd() on untrusted data which is later deserialized, or directly deserializing untrusted input. The default settings prior to the patch, specifically secrets_from_env=True, significantly increased the likelihood and impact of secret extraction. Prompt injection can be a risk factor if LLM responses containing malicious 'lc' structures are then serialized/deserialized.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-68664?
About the Fix from Resolved Security
The patch introduces an escaping mechanism that wraps any user-supplied dictionaries containing the special 'lc' key with a sentinel ("__lc_escaped__"), ensuring such data cannot be interpreted as a LangChain object during deserialization. This prevents class or secret injection attacks by making sure only trusted, explicitly-serialized LangChain objects can be instantiated, thereby fixing vulnerability CVE-2025-68664, which allowed attackers to craft inputs that would cause deserialization of arbitrary or malicious classes. The change ensures that injected data will be safely treated as plain data, not executable object definitions.
Available Upgrade Options
- langchain-core
- <0.3.81 → Upgrade to 0.3.81
- langchain-core
- >=1.0.0, <1.2.5 → Upgrade to 1.2.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-68664
- https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81
- https://github.com/langchain-ai/langchain/pull/34455
- https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81
- https://osv.dev/vulnerability/GHSA-c67j-w6g6-q2cm
- https://github.com/langchain-ai/langchain/pull/34458
- https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6
- https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8
- https://github.com/langchain-ai/langchain
- https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6
What are Similar Vulnerabilities to CVE-2025-68664?
Similar Vulnerabilities: CVE-2023-46820 , CVE-2023-28493 , CVE-2022-21724 , CVE-2017-1000382 , CVE-2017-9805
