CVE-2025-68665: LangChain serialization injection vulnerability enables secret extraction

← Back to Vulnerability Index

CVE-2025-68665 - LangChain serialization injection vulnerability enables secret extraction

Dec. 23, 2025, 11:15 p.m. | 1 hour, 43 minutes ago HIGH CVSS Score: 8.6/10.0

⚠️ Security Alert: A high-severity vulnerability has been identified that requires immediate attention.

Vulnerability Overview

CVE Identifier:

CVE-2025-68665

Severity Rating:

8.6 / 10.0 - HIGH

Detection Date:

24 Dec 2025

Vulnerability Type:

Vulnerability

Description

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3

Potential Impact

This vulnerability poses a high risk to affected systems. Organizations using the affected software should prioritize patching and implement appropriate security measures immediately.

• Unauthorized Access: Potential unauthorized access to sensitive systems or data
• Remote Code Execution: Attackers may execute arbitrary code remotely
• Service Disruption: Risk of service disruption or denial of service attacks
• Data Breach: Possibility of data breach or information disclosure

Recommended Actions

1. Immediate Assessment: Identify if your systems are running affected versions of the software
2. Apply Patches: Install security updates and patches as soon as they become available
3. Implement Workarounds: Apply temporary mitigations if patches are not yet available
4. Monitor Systems: Increase monitoring for signs of exploitation attempts
5. Update Security Policies: Review and update security policies based on this vulnerability
6. Inform Stakeholders: Communicate the risk to relevant stakeholders and teams

Stay Informed: Subscribe to our security alerts to receive timely updates on critical vulnerabilities and security advisories.

Disclaimer: This information is provided for security awareness purposes. Always verify with official sources and consult with security professionals before taking action. The severity scores and information are based on publicly available data at the time of publication.