CVE-2025-68665
CRITICAL EPSS 50.2%
Published Dec 23, 20256mo ago · Modified Jun 17, 20261w ago
9.1 CVSS 3.1
Published Dec 23, 2025 6mo ago
Last Modified Jun 17, 2026 1w ago
Description
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None
Threat Intelligence
EPSS Exploit Probability
50.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-502 Deserialization of Untrusted Data Validation
Affected Products 4
References 4
- github.com https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62
- github.com https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8
- github.com https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3
- github.com https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6
Remediation
- github.com https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62