A critical vulnerability in LangChain\u2019s core library (CVE-2025-68664) allows attackers to exfiltrate sensitive environment variables and potentially execute code through deserialization flaws.<\/p>\n
Discovered by a Cyata researcher and patched just before Christmas 2025, the issue affects one of the most popular AI frameworks with hundreds of millions of downloads.\u200b<\/p>\n
LangChain-core\u2019s dumps() and dumpd() functions failed to escape user-controlled dictionaries containing the reserved \u2018lc\u2019 key, which marks internal serialized objects.<\/p>\n
This led to deserialization of untrusted data (CWE-502) when LLM outputs or prompt injections influenced fields like additional_kwargs or response_metadata, triggering serialization-deserialization cycles in common flows such as event streaming, logging, and caching. A CNA-assigned CVSS score of 9.3 rates it Critical, with 12 vulnerable patterns identified, including astream_events(v1) and Runnable.astream_log().\u200b<\/p>\n
Cyata security researcher uncovered<\/a> the flaw during audits of AI trust boundaries, spotting the missing escape in serialization code after tracing deserialization sinks.<\/p>\n Reported via Huntr on December 4, 2025, LangChain acknowledged it the next day and published the advisory<\/a> on December 24. Patches rolled out in langchain-core versions 0.3.81 and 1.2.5, which wrap \u2018lc\u2019-containing dicts and disable secrets_from_env by default\u2014previously enabled, allowing direct env var leaks. The team awarded a record $4,000 bounty.\u200b<\/p>\n Attackers could craft prompts to instantiate allowlisted classes like ChatBedrockConverse from langchain_aws, triggering SSRF<\/a> with env vars in headers for exfiltration.<\/p>\n PromptTemplate enables Jinja2 rendering for possible RCE if invoked post-deserialization. LangChain\u2019s scale amplifies risk: pepy.tech logs ~847M total downloads, pypistats ~98M last month.\u200b<\/p>\n Upgrade langchain-core immediately and verify dependencies like langchain-community. Treat LLM outputs as untrusted, audit deserialization in streaming\/logs, and disable secret resolution unless inputs are verified. A parallel flaw hit LangChainJS (CVE-2025-68665), underscoring risks in agentic AI plumbing.\u200b<\/p>\n Organizations must inventory agent deployments for swift triage amid booming LLM app adoption.\u200b<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Critical Langchain Vulnerability Let attackers Exfiltrate Sensitive Secrets from AI systems<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjIYX4iziSoBgzwhJEd3V1uhIg8QwFueLfZnTXla5nRVGKZw0k2Zj0lTGHMT8uxQ0KQpnxNAfAu375yf2IWbAftQ1TosFr_8k4Z9McvAwKgxXGNNCYGZnkpK8NzgImtBqZIJlmndOb_yi5yjN4IOCMrPbr5gx3FoZ5ku8U05EAapKk9DiDVb1BQN1aWH1s9\/s16000\/image-2.webp?ssl=1\")
<\/figure>\n