Cybersecurity

Critical Langchain Core Vulnerability Exposes Secrets Via...

2025-12-26 0 views admin
Critical Langchain Core Vulnerability Exposes Secrets Via...

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection.

LangChain Core (i.e., langchain-core) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building applications powered by LLMs.

The vulnerability, tracked as CVE-2025-68664, carries a CVSS score of 9.3 out of 10.0. Security researcher Yarden Porat has been credited with reporting the vulnerability on December 4, 2025. It has been codenamed LangGrinch.

"A serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions," the project maintainers said in an advisory. "The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries."

"The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data."

According to Cyata researcher Porat, the crux of the problem has to do with the two functions failing to escape user-controlled dictionaries containing "lc" keys. The "lc" marker represents LangChain objects in the framework's internal serialization format.

"So once an attacker is able to make a LangChain orchestration loop serialize and later deserialize content including an 'lc' key, they would instantiate an unsafe arbitrary object, potentially triggering many attacker-friendly paths," Porat said.

This could have various outcomes, including secret extraction from environment variables when deserialization is performed with "secrets_from_env=True" (previously set by default), instantiating classes within pre-approved trusted namespaces, such as langchain_core, langchain, and langchain_community, and potentially even leading to arbitrary code execution via Jinja2 templates.

What's more, the escaping bug enables the injection of LangChain object structures through user-controlled fields like metadata, additional_kwargs, or response_metadata via prompt injection.

The patch released by LangChain introduces new restrictive defaults in load() and loads() by means of an allowlist parameter "allowed_objects" that allows users to specify which classes can be serialized/deserialized. In addition, Jinja2 templates are blocked by default, and the "secrets_from_env" o

Source: The Hacker News

🏷️ Tags

securityvulnerabilitycveattackexploit

More from Cybersecurity

Trust Wallet Chrome Extension Hack Tied To Millions In Losses

Trust Wallet Chrome Extension Hack Tied To Millions In Losses

2025-12-26 0
Chatgpt’s New Formatting Blocks Make Its Ui Look More Like A Task Tool

Chatgpt’s New Formatting Blocks Make Its Ui Look More Like A Task Tool

2025-12-25 0
Google Will Finally Allow You To Change Your @gmail.com Address

Google Will Finally Allow You To Change Your @gmail.com Address

2025-12-25 0
Threatsday Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits,...

Threatsday Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits,...

2025-12-25 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views