Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection (CVE-2025-68664 (CVSS 9.3))
Estimated reading time: 9 minutes
Key Takeaways
- A critical LangChain Core vulnerability (CVE-2025-68664, CVSS 9.3), codenamed “LangGrinch,” allows attackers to extract sensitive secrets and manipulate LLM responses through serialization injection.
- This flaw impacts both Python (
langchain-core) and JavaScript (LangChain.js) versions, necessitating immediate patching to secure applications. - Attack vectors include environment variable secret extraction, arbitrary object instantiation within trusted namespaces, and prompt injection triggering serialization vulnerabilities.
- Patches introduce new secure defaults, including an
allowed_objectsallowlist, disabled Jinja2 templates, andsecrets_from_env=False, significantly hardening the framework. - The incident highlights the critical need for robust supply-chain risk monitoring, treating LLM output as untrusted input, granular secret management, and proactive cyber threat intelligence in AI development.
Table of Contents
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection
- Understanding the Broader Implications
- Practical Takeaways for Organizations
- FAQ
Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection
The landscape of artificial intelligence (AI) and large language models (LLMs) is developing rapidly, bringing both innovation and novel security challenges. A recent disclosure highlights a critical security flaw in LangChain Core, a widely used framework for developing applications powered by LLMs. This vulnerability, tracked as CVE-2025-68664, presents a significant risk, enabling attackers to extract sensitive secrets and manipulate LLM responses through serialization injection. With a CVSS score of 9.3 out of 10.0, this flaw, codenamed “LangGrinch,” underscores the importance of stringent security practices in AI development and deployment.
On December 4, 2025, security researcher Yarden Porat identified and reported a critical serialization injection vulnerability within LangChain Core. This flaw impacts the dumps() and dumpd() functions, which are responsible for serializing LangChain objects. The core issue arises from the functions’ failure to properly escape user-controlled dictionaries that contain “lc” keys. Within the LangChain framework, the “lc” key serves as an internal marker for serialized objects. When user-controlled data includes this specific key structure, the system incorrectly interprets it as a legitimate LangChain object during deserialization, rather than processing it as plain user data.
This misinterpretation forms the basis of the serialization injection attack. If an attacker can introduce data containing an “lc” key structure into a LangChain orchestration loop that subsequently serializes and deserializes this content, they can instigate the instantiation of an arbitrary, potentially unsafe object. This capability opens multiple avenues for exploitation, each carrying significant risk.
One primary consequence is the potential for secret extraction. If deserialization occurs with secrets_from_env=True (a setting that was previously enabled by default), an attacker could exploit this vulnerability to extract environment variables containing sensitive information. This exposes credentials, API keys, and other critical data stored in the application’s environment.
Beyond secret extraction, the vulnerability permits the instantiation of classes within pre-approved trusted namespaces, such as langchain_core, langchain, and langchain_community. While these are considered trusted, the ability to arbitrarily instantiate objects within them can still lead to unintended behavior or privilege escalation, depending on the specific class functionalities. In more severe scenarios, this flaw could potentially lead to arbitrary code execution, particularly through the injection of malicious Jinja2 templates, which, if processed, could execute attacker-supplied code on the host system.
Another vector for exploitation involves prompt injection. The escaping bug facilitates the injection of LangChain object structures through user-controlled fields within LLM responses, such as metadata, additional_kwargs, or response_metadata. This means an attacker could craft malicious prompts that, when processed by the LLM, embed these lc key structures into the output. When this output is later serialized and deserialized by the LangChain application, it can trigger the vulnerability, leading to the consequences outlined above, including secret extraction or arbitrary object instantiation. This highlights a critical intersection of AI and classic security principles, where LLM output must be treated as untrusted input, requiring robust validation and sanitization.
Affected Versions and Patches
The vulnerability CVE-2025-68664 impacts specific versions of the langchain-core Python package:
- Versions
>= 1.0.0and< 1.2.5are affected. The fix is available in version1.2.5. - Versions
< 0.3.81are affected. The fix is available in version0.3.81.
Users of these Python packages are advised to update to the patched versions immediately to mitigate the risk.
A similar serialization injection flaw, CVE-2025-68665 (CVSS score: 8.6), was identified in LangChain.js. This vulnerability also stems from inadequate escaping of objects containing “lc” keys, leading to potential secret extraction and prompt injection in JavaScript-based LangChain applications.
This vulnerability affects the following npm packages:
@langchain/coreversions>= 1.0.0and< 1.1.8(Fixed in1.1.8).@langchain/coreversions< 0.3.80(Fixed in0.3.80).langchainversions>= 1.0.0and< 1.2.3(Fixed in1.2.3).langchainversions< 0.3.37(Fixed in0.3.37).
JavaScript developers using LangChain frameworks must also update their respective packages to the patched versions to address this parallel vulnerability.
The patch introduced by LangChain addresses these issues by implementing new, more restrictive defaults for the load() and loads() functions. A key change is the introduction of an allowed_objects parameter, which functions as an allowlist, enabling users to specify precisely which classes are permitted for serialization and deserialization. This significantly limits the scope of objects an attacker could instantiate. Additionally, Jinja2 templates are now blocked by default, neutralizing a common vector for arbitrary code execution. The secrets_from_env option has been set to False by default, disabling the automatic loading of secrets from environment variables and requiring explicit configuration for secret management. These changes collectively harden the framework against serialization injection attacks.
Understanding the Broader Implications
The “LangGrinch” vulnerability serves as a salient example of how fundamental security flaws can manifest within advanced technological stacks like LLM frameworks. Serialization injection is a classic vulnerability, but its presence in a framework designed to process and generate natural language introduces new complexities and attack vectors. The ability to manipulate LLM responses through prompt injection to trigger a serialization vulnerability highlights a “AI meets classic security” intersection, where traditional attack patterns merge with novel AI-specific inputs.
For organizations leveraging LLMs, this event underscores several critical considerations. First, the dependency on third-party libraries and frameworks like LangChain introduces supply-chain risk monitoring requirements. A vulnerability in an upstream component can directly impact the security posture of an organization’s applications, even if the application code itself is robust. Continuous monitoring of dependencies for known vulnerabilities and rapid patching mechanisms are essential.
Second, the threat of secret extraction through environment variables emphasizes the need for granular secret management. Hardcoding secrets or relying solely on environment variables without additional layers of protection increases the blast radius of such vulnerabilities. Secure secret management solutions and practices, such as dynamic secret generation and least privilege access, are critical.
Third, the concept of LLM output as “untrusted input” is a fundamental principle that requires integration into security architectures. Just as user-supplied data in web applications is never fully trusted, the output generated by an LLM, especially when it is subsequently processed or parsed by other application components, must be subject to rigorous validation, sanitization, and security checks. This mitigates the risk of prompt injection and other LLM-specific attack techniques.
The existence of such vulnerabilities also reinforces the value of proactive breach detection capabilities. While patching is the primary defense, the ability to detect attempts to exploit such flaws in real-time or identify indicators of compromise after a potential breach is paramount. Comprehensive logging, anomaly detection, and security information and event management (SIEM) systems can contribute to this capability.
Furthermore, the intelligence gained from disclosures like LangGrinch feeds into broader cyber threat intelligence platform initiatives. Understanding how attackers might leverage AI-specific vulnerabilities informs threat models, risk assessments, much like dark web monitoring service and underground forum intelligence can provide early warnings of exploits being discussed or traded. Similarly, telegram threat monitoring offers insights into threat actor communications. This proactive intelligence gathering can be crucial for preparing defenses against real-time ransomware intelligence and other evolving threats that might leverage such weaknesses. Even brand leak alerting can become relevant if exploits lead to data exposure that then surfaces in illicit channels.
Practical Takeaways for Organizations
Addressing vulnerabilities like CVE-2025-68664 requires a multi-faceted approach, combining immediate technical actions with long-term strategic adjustments.
For Technical Readers (Developers, Security Engineers):
- Prioritize Patching: Immediately update all
langchain-core(Python) andLangChain.js(npm) packages to the fixed versions (langchain-core>= 1.2.5 or >= 0.3.81;@langchain/core>= 1.1.8 or >= 0.3.80;langchain>= 1.2.3 or >= 0.3.37). Ensure continuous supply-chain risk monitoring for all dependencies. - Review Serialization Practices: Analyze any custom serialization/deserialization logic within your applications, especially those interacting with LLM frameworks. Implement explicit allowlists for allowed objects during deserialization, rather than relying on blocklists or default behaviors.
- Secure LLM Interactions: Treat all LLM output as untrusted input. Implement robust input validation and output sanitization for any data flowing into and out of LLMs, particularly when that data is subsequently used in serialization or code execution contexts.
- Configure Secure Defaults: Verify that your LangChain deployments are using the new secure defaults, specifically
secrets_from_env=Falseand blocked Jinja2 templates. Adjustallowed_objectsas narrowly as possible based on application requirements. - Implement Least Privilege: Ensure that the environment where LangChain applications run has minimal necessary access permissions. If secrets must be loaded from the environment, ensure they are tightly scoped and not broadly accessible.
- Threat Modeling for AI/LLM Applications: Conduct specific threat modeling exercises for applications incorporating AI and LLMs. Focus on data flow, trust boundaries, and potential injection points, including prompt injection and serialization vulnerabilities.
For Business Leaders (CISOs, CTOs, Executives):
- Understand AI Risk: Recognize that integrating AI and LLMs introduces new categories of security risks that may not be covered by traditional security frameworks. Invest in training and resources to understand these unique challenges.
- Allocate Resources for Patching and Upgrades: Ensure that development and operations teams have the necessary time and resources to apply critical security patches promptly. This includes budget for dedicated security personnel and automated tools.
- Invest in Continuous Security: Shift from periodic security assessments to continuous security practices. This includes continuous vulnerability scanning, automated dependency checks, and real-time breach detection capabilities.
- Strengthen Supply Chain Security: Implement robust supply-chain risk monitoring strategies. Understand the security posture of all third-party components and libraries used in your software development lifecycle.
- Prioritize Cyber Threat Intelligence: Support the acquisition and integration of comprehensive cyber threat intelligence platform solutions. Information from sources like dark web monitoring service and underground forum intelligence provides foresight into emerging threats and allows for proactive defense planning. This intelligence is crucial for understanding real-time ransomware intelligence and other critical attack trends.
- Promote Security Culture: Foster a security-aware culture that emphasizes secure coding practices, treats LLM output as untrusted, and encourages prompt reporting of potential vulnerabilities.
The LangChain Core vulnerability serves as a tangible reminder that even cutting-edge technologies are susceptible to foundational security issues. Proactive identification, rapid patching, and a comprehensive security strategy are indispensable for protecting organizations from cyber threat intelligence platform insights to brand leak alerting requirements.
PurpleOps understands the complexities of securing modern AI-driven infrastructures. Our expertise in cyber threat intelligence, dark web monitoring, and supply-chain information security enables organizations to anticipate and respond to threats like LangGrinch. We offer a range of services from and red team operations to specialized protect ransomware strategies, ensuring that your AI deployments and critical assets remain secure. Our platform provides the visibility and intelligence required for effective breach detection and proactive risk mitigation.
To learn more about how PurpleOps can help secure your AI initiatives and overall cybersecurity posture, explore our services or contact us today.
- Discover our comprehensive cybersecurity platform
- PurpleOps Solutions
- Understand our Red Team Operations
- Enhance your Supply Chain Information Security
- Protect against ransomware threats
- Utilize our Dark Web Monitoring
- Access advanced Cyber Threat Intelligence
FAQ
What is CVE-2025-68664 and what does it impact?
CVE-2025-68664, codenamed “LangGrinch,” is a critical serialization injection vulnerability in LangChain Core (Python) and LangChain.js (JavaScript). It allows attackers to extract sensitive secrets, manipulate LLM responses, and potentially achieve arbitrary code execution by exploiting improper handling of user-controlled data containing internal “lc” keys during serialization and deserialization processes.
Which versions of LangChain are affected by this vulnerability?
For Python’s langchain-core, versions >= 1.0.0 and < 1.2.5, and versions < 0.3.81 are affected. For JavaScript’s @langchain/core, versions >= 1.0.0 and < 1.1.8, and versions < 0.3.80 are affected. For langchain (npm), versions >= 1.0.0 and < 1.2.3, and versions < 0.3.37 are affected. Users should update to the patched versions (e.g., langchain-core 1.2.5 or 0.3.81, @langchain/core 1.1.8 or 0.3.80, langchain 1.2.3 or 0.3.37) immediately.
How does serialization injection work in LangChain Core?
The vulnerability arises because dumps() and dumpd() functions fail to properly escape user-controlled dictionaries with “lc” keys. An attacker can inject data containing this “lc” key structure, causing the system to misinterpret it as a legitimate LangChain object during deserialization. This allows the attacker to instantiate arbitrary objects, potentially leading to secret extraction (especially if secrets_from_env=True was enabled) or even arbitrary code execution through malicious Jinja2 templates.
What are the broader implications of “LangGrinch” for AI security?
“LangGrinch” highlights the convergence of classic security flaws with AI-specific attack vectors. It emphasizes the need for treating LLM output as untrusted input, robust supply-chain risk monitoring for third-party AI frameworks, granular secret management, and proactive cyber threat intelligence to anticipate and defend against new attack methodologies in the evolving AI landscape.
What immediate actions should organizations take to mitigate this vulnerability?
Organizations should immediately update all affected LangChain packages to the patched versions. Additionally, review serialization practices, configure LangChain deployments with secure defaults (e.g., secrets_from_env=False, blocked Jinja2 templates, strict allowed_objects allowlists), implement least privilege principles, and conduct threat modeling specific to AI/LLM applications. Investing in continuous security practices and cyber threat intelligence is also crucial for long-term defense.