CVE-2025-68664

Medienbericht

Exploit

EPSS 13.83%
Veröffentlicht 23.12.2025 22:47:44
Zuletzt bearbeitet 13.01.2026 15:58:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Langchain ≫ Langchain Core SwPlatformpython Version < 0.3.81

Langchain ≫ Langchain Core SwPlatformpython Version >= 1.0.0 < 1.2.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	13.83%	0.96

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
security-advisories@github.com	9.3	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

10.04.2026 15:18

https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm

Vendor Advisory

Exploit

https://github.com/langchain-ai/langchain/pull/34455

Patch

Issue Tracking

https://github.com/langchain-ai/langchain/pull/34458

Patch

Issue Tracking

https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8

Patch

https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6

Patch

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81

Release Notes

https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-68664

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68664

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68664

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-68664