CVE-2025-68665
Serialization Injection vulnerability in core (npm)
What is CVE-2025-68665 About?
This is a serialization injection vulnerability in LangChain JS's `toJSON()` method, where user-controlled objects with `'lc'` keys in `kwargs` are not properly escaped during serialization. This allows an attacker to inject malicious LangChain objects during deserialization, potentially leading to secret extraction or arbitrary class instantiation within provided import maps. Exploitation requires the application to serialize and deserialize untrusted data.
Affected Software
- @langchain/core
- <0.3.80
- >=1.0.0, <1.1.8
- langchain
- >=1.0.0, <1.2.3
- <0.3.37
Technical Details
The vulnerability resides in the Serializable.toJSON() method of LangChain JS, which is used for serializing objects, particularly when JSON.stringify() is called on them. This method fails to escape user-controlled objects that contain the internal 'lc' key within keyword arguments like additional_kwargs, metadata, or response_metadata. The 'lc' key is a special marker for LangChain serialized objects. When an attacker injects data structured like a LangChain object (e.g., {"lc": 1, "type": "secret", "id": ["ENV_VAR"]}) into user-controlled fields, the toJSON() method serializes it as if it were a legitimate LangChain object rather than plain data. Subsequently, when this unescaped serialized data is passed to the load() function, the injected structure is interpreted as a genuine LangChain object. This enables several attack vectors: extracting environment variables if secretsFromEnv is enabled (which effectively defaulted to true), and instantiating any class available within the application's import maps (e.g., core types, user-extended import maps) with attacker-controlled parameters an attacker could trigger arbitrary class instantiation, potentially leading to side effects such as network calls or file operations.
What is the Impact of CVE-2025-68665?
Successful exploitation may allow attackers to extract sensitive environment variables, instantiate arbitrary classes with attacker-controlled parameters within the application's import maps, and potentially trigger unintended side effects like network requests or file operations.
What is the Exploitability of CVE-2025-68665?
Exploitation requires that an application serializes Serializable objects containing user-controlled data (e.g., from LLM responses, metadata fields) and then deserializes that data using load(). The complexity is moderate, as an attacker needs to craft suitable payloads and ensure they are processed through both serialization and deserialization. No specific authentication is required if the untrusted data flows through user-facing application features. Exploitation can be local or remote depending on how the application handles input and serialization. A significant risk factor was the secretsFromEnv option effectively defaulting to true prior to the patch, which greatly facilitated secret extraction. The vulnerability can be triggered via prompt injection if LLM responses containing malicious 'lc' structures are subsequently serialized and deserialized. The new maxDepth parameter can help mitigate DoS risks related to deeply nested structures, but attackers could still potentially craft complex objects within that limit.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-68665?
About the Fix from Resolved Security
This patch introduces strict protections in the LangChain deserialization logic against prototype pollution and "object injection" attacks by escaping plain user-supplied objects with a special key if they contain the 'lc' property, ensuring they are never misinterpreted as internal LangChain objects. This fix blocks attackers from embedding "fake" secret or constructor objects in input data, which previously could be deserialized and trigger leakage of secrets or unintended object instantiation (the root of CVE-2025-68665). By clearly distinguishing between trusted, internally-produced objects and user input, and adding depth-limiting to prevent DoS via deep nesting, the patch neutralizes the core attack vectors of this vulnerability.
Available Upgrade Options
- langchain
- <0.3.37 → Upgrade to 0.3.37
- langchain
- >=1.0.0, <1.2.3 → Upgrade to 1.2.3
- @langchain/core
- <0.3.80 → Upgrade to 0.3.80
- @langchain/core
- >=1.0.0, <1.1.8 → Upgrade to 1.1.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3
- https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3
- https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6
- https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62
- https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6
- https://nvd.nist.gov/vuln/detail/CVE-2025-68665
- https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62
- https://osv.dev/vulnerability/GHSA-r399-636x-v7f6
- https://github.com/langchain-ai/langchainjs
- https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8
What are Similar Vulnerabilities to CVE-2025-68665?
Similar Vulnerabilities: CVE-2023-46820 , CVE-2023-28493 , CVE-2022-21724 , CVE-2017-1000382 , CVE-2017-9805
