CVE-2025-68664: LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

← Back to Vulnerability Index

CVE-2025-68664 - LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

Dec. 23, 2025, 11:15 p.m. | 1 hour, 43 minutes ago CRITICAL CVSS Score: 9.3/10.0

⚠️ Security Alert: A critical vulnerability has been identified that requires immediate attention.

Vulnerability Overview

CVE Identifier:

CVE-2025-68664

Severity Rating:

9.3 / 10.0 - CRITICAL

Detection Date:

24 Dec 2025

Vulnerability Type:

Vulnerability

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Potential Impact

This vulnerability poses a critical risk to affected systems. Organizations using the affected software should prioritize patching and implement appropriate security measures immediately.

• Unauthorized Access: Potential unauthorized access to sensitive systems or data
• Remote Code Execution: Attackers may execute arbitrary code remotely
• Service Disruption: Risk of service disruption or denial of service attacks
• Data Breach: Possibility of data breach or information disclosure

Recommended Actions

1. Immediate Assessment: Identify if your systems are running affected versions of the software
2. Apply Patches: Install security updates and patches as soon as they become available
3. Implement Workarounds: Apply temporary mitigations if patches are not yet available
4. Monitor Systems: Increase monitoring for signs of exploitation attempts
5. Update Security Policies: Review and update security policies based on this vulnerability
6. Inform Stakeholders: Communicate the risk to relevant stakeholders and teams

Stay Informed: Subscribe to our security alerts to receive timely updates on critical vulnerabilities and security advisories.

Disclaimer: This information is provided for security awareness purposes. Always verify with official sources and consult with security professionals before taking action. The severity scores and information are based on publicly available data at the time of publication.