CVE-2025-68664

HIGH EPSS 96.1%
Published Dec 23, 20256mo ago · Modified Jun 17, 20261w ago
8.2 CVSS 3.1
High
Find Similar
Published Dec 23, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

CVSS Details

Base Score
8.2
Exploitability
3.9
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
96.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-502 Deserialization of Untrusted Data Validation

Affected Products 2

VendorProductVersionRange
langchainlangchain_core* <0.3.81
langchainlangchain_core*≥1.0.0  –  <1.2.5

References 7

  • github.com https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8
    Patch
  • github.com https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6
    Patch
  • github.com https://github.com/langchain-ai/langchain/pull/34455
    Issue TrackingPatch
  • github.com https://github.com/langchain-ai/langchain/pull/34458
    Issue TrackingPatch
  • github.com https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81
    Release Notes
  • github.com https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5
    Release Notes
  • github.com https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8
    Patch
  • github.com https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6
    Patch
  • github.com https://github.com/langchain-ai/langchain/pull/34455
    Issue TrackingPatch
  • github.com https://github.com/langchain-ai/langchain/pull/34458
    Issue TrackingPatch