AI description
CVE-2025-68664 is a serialization injection vulnerability found in LangChain, a framework used for building agents and LLM-powered applications. The vulnerability exists in versions prior to 0.3.81 and 1.2.5, specifically within the `dumps()` and `dumpd()` functions. These functions fail to properly escape dictionaries containing the `'lc'` key during serialization. The `'lc'` key is used internally by LangChain to identify serialized objects. When user-controlled data includes this key structure, the system incorrectly interprets it as a legitimate LangChain object during deserialization, rather than treating it as plain user data. This can allow attackers to exfiltrate sensitive environment variables and potentially execute code. The vulnerability has been addressed in versions 0.3.81 and 1.2.5.
- Description
- LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 3.1
- Type
- Secondary
- Base score
- 9.3
- Impact score
- 4.7
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-502
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
27
🚨 LangGrinch: Critical LangChain-Core Bug Enables Secret Theft via Serialization Injection (CVE-2025-68664) Attackers can inject crafted `lc`-key objects through user-influenced fields (e.g., `metadata`, `additional_kwargs`, `response_metadata`) so `dumps()/dumpd()` content is
@ThreatSynop
27 Dec 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical LangChain Serialization Injection Bug Exposes Secrets and May Enable Code Execution A critical flaw in langchain-core (CVE-2025-68664) lets attackers inject crafted “lc” structures so user-controlled data is treated as LangChain objects during deserialization,
@ThreatSynop
27 Dec 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical LangChain Flaw Lets Attackers Exfiltrate Secrets via Unsafe Deserialization A critical bug in langchain-core serialization (CVE-2025-68664) enables prompt/LLM-output–influenced data to trigger unsafe deserialization paths (e.g., logging/streaming/caching), leaking
@ThreatSynop
27 Dec 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
How CVE-2025-68664 Allows Hackers to Siphon Your Private Data Directly from the vLLM Engine Read the full report on - https://t.co/9Aji9Icga9 https://t.co/NeYgkLm8Pj
@Iambivash007
27 Dec 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical LangChain Vulnerability (CVE-2025-68664) Puts LLM Apps at Risk #Cybersecurity #cyashadotcom #JanaNayaganAudioLaunch https://t.co/MoAsUFrqjj
@cyashadotcom
27 Dec 2025
341 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68664: patch LangChain now. Read More: https://t.co/XMxW6mlYZP #Sec #Vuln #Patch #LangChain #Sec #Vuln #Patch #LangChain
@true_redfence
27 Dec 2025
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
【LangChain CoreのCVE-2025-68664、修正版公開】 langchain-coreのdumps()/dumpd()で、ユーザー入力に含まれる予約キー「lc」が適切にエスケープされず、load()/loads()でLangChainオブジェクトとして扱われ得る脆弱性(CVE-2025-68664)
@LangChainJP
27 Dec 2025
922 Impressions
1 Retweet
7 Likes
2 Bookmarks
1 Reply
0 Quotes
LangChain CVE-2025-68664 (CVSS 9.3) 🚨 Prompt Injection is now triggering Deserialization! 🤯 The game has changed. Hunters, are you fuzzing lc keys or doing deep Code Review for this? 👇 @rez0__ @zwt @nahamsec @Jhaddix @securibee @Rhynorater https://t.co/FZAIXRobD
@MRTUFAN_BD
27 Dec 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Falha crítica no LangChain Core permite roubo de segredos e manipulação de respostas: Vulnerabilidade CVE-2025-68664 permite injeção de objetos via serialização, expondo dados sensíveis e possibilitando execuções maliciosas; atualização urgente é recomendada. https:/
@caveiratech
26 Dec 2025
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
All I Want for Christmas Is Your Secrets: LangGrinch hits LangChain Core (CVE-2025-68664) - Cyata | The Control Plane for Agentic Identity https://t.co/jpzB5SIQXB # #devtalk
@dev_talk
26 Dec 2025
67 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🔍 𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐕𝐄 𝐛𝐫𝐞𝐚𝐤𝐝𝐨𝐰𝐧 𝐚𝐯𝐚𝐢𝐥𝐚𝐛𝐥𝐞 𝐧𝐨𝐰! Is your LangChain app leaking secrets? Uncover how CVE-2025-68664 enables injection attacks and what steps you must take to secure your AI stack.
@PurpleOps_io
26 Dec 2025
66 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-68664 - Lord of the Strings: The Return of the 'lc' Key --- In the land of AI agents, so shiny and bright, LangChain was the framework that felt just right. One hundred twenty-three thousand stars in the sky, But nobody noticed the bug slipping by. --- The dumps()
@gothburz
26 Dec 2025
3033 Impressions
2 Retweets
32 Likes
5 Bookmarks
3 Replies
1 Quote
Czy jesteś gotów na nową falę zagrożeń cyberbezpieczeństwa dla aplikacji AI? Nowo odkryta podatność w (CVE-2025-68664) osłabia aplikacje AI, umożliwiając kradzież danych i zdalne wykonanie kodu. Bądź na bieżąco! #LangChain #Cybersecurity #AI https://t.co/mjaRQ
@VIPentest
26 Dec 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical vulnerability in LangChain -- CVE-2025-68664: https://t.co/REzlUDGesF
@yoshiks
26 Dec 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical LangChain Core vulnerability (CVE-2025-68664) allows attackers to steal secrets and manipulate LLM behavior via serialization injection flaws. https://t.co/bY83uz78PC #CyberSecurity #LangChain #LLMSecurity #PromptInjection #AIThreats #AppSec #CloudSecurity https://t.
@redsecuretech
26 Dec 2025
159 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
生成AIアプリ基盤として広く使われるLangChainの中核ライブラリに、秘密情報の窃取や応答改変につながる重大な欠陥が判明した(CVE-2025-68664)。巧妙な入力で内部処理を誤作動させ、LLMを攻撃者の意図通りに振る
@yousukezan
26 Dec 2025
2903 Impressions
12 Retweets
23 Likes
20 Bookmarks
0 Replies
0 Quotes
#HuttonAIAlerts 🚨 Critical AI Vulnerability Alert 🚨 A CVSS 9.3 flaw (CVE-2025-68664) just hit LangChain. Attackers can now exfiltrate your system secrets and API keys via simple prompt injection. Your AI "brain" shouldn't be a security liability. (1/4) https://t.co/Y
@HuttonTech
26 Dec 2025
12 Impressions
7 Retweets
8 Likes
0 Bookmarks
1 Reply
0 Quotes
LangChain Core has a critical bug that lets attackers extract secrets and steer LLM output. The issue, CVE-2025-68664 (CVSS 9.3), abuses how user data with lc keys is deserialized as trusted objects. Prompt injection can trigger it through normal LLM responses. 🔗 Read → ht
@TheHackersNews
26 Dec 2025
10905 Impressions
26 Retweets
76 Likes
14 Bookmarks
4 Replies
2 Quotes
🚨Vulnerability Alert ‼️ Security researcher Yarden Porat discovered a vulnerability in LangChain that exploits how the framework handles internal serialization markers. The flaw, dubbed CVE-2025-68664, received a CVSS score of 9.3, indicating critical severity. Source:
@H4ckmanac
26 Dec 2025
4762 Impressions
4 Retweets
25 Likes
6 Bookmarks
1 Reply
0 Quotes
All I Want for Christmas Is Your Secrets: LangGrinch hits LangChain Core (CVE-2025-68664) https://t.co/uidbKTMqUd
@NytroRST
26 Dec 2025
132 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
Today's top 5 cybersecurity news - December 26, 2025 1. A critical vulnerability identified as CVE-2025-68664 has been discovered in LangChain, a widely used AI framework, allowing attackers to extract sensitive environment variable secrets and potentially execute code through a
@NewsNerdie
26 Dec 2025
79 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
LangChain core vuln CVE-2025-68664 allowed env var exfiltration and possible code execution via deserialization flaws, patched just before Christmas 2025. Update now. #Vulnerability https://t.co/sbZrFg791Z
@threatcluster
26 Dec 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 𝐖𝐞 𝐟𝐨𝐮𝐧𝐝 𝐚 𝐜𝐫𝐢𝐭𝐢𝐜𝐚𝐥 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐲 𝐢𝐧 𝐋𝐚𝐧𝐠𝐂𝐡𝐚𝐢𝐧. Upgrade to langchain-core 1.2.5 or 0.3.81 immediately. Cyata's security researcher Yarden Porat discovere
@TeamCyata
26 Dec 2025
326 Impressions
2 Retweets
8 Likes
0 Bookmarks
0 Replies
0 Quotes
🛡️ Critical Langchain Vulnerability Let Attackers Exfiltrate Sensitive Secrets from AI systems Source: https://t.co/jcmomQRsvF A critical vulnerability in LangChain's core library (CVE-2025-68664) allows attackers to exfiltrate sensitive environment variables and potentia
@The_Cyber_News
26 Dec 2025
2812 Impressions
14 Retweets
63 Likes
18 Bookmarks
3 Replies
0 Quotes
Cyata Security Ltd. reports a critical vulnerability in langchain-core, named “LangGrinch” (CVE-2025-68664), endangering AI agent secrets with a CVSS score of 9.3, raising serious security concerns in AI production environments. #LangGrinch #CyberSecurity https://t.co/ynUJLQa
@Cyber_O51NT
26 Dec 2025
1929 Impressions
74 Retweets
45 Likes
1 Bookmark
0 Replies
0 Quotes
Merry Christmas... 9.3 Critical... CVE-2025-68664 (Langchain, AI pipelines) https://t.co/FeaZityVrX https://t.co/gw1bBnKxYg
@JasonGiedymin
25 Dec 2025
105 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
All I Want for Christmas Is Your Secrets: LangGrinch hits LangChain Core (CVE-2025-68664) https://t.co/3WSFrPS0h9
@jedisct1
25 Dec 2025
1340 Impressions
1 Retweet
6 Likes
1 Bookmark
0 Replies
0 Quotes
クリスマスに欲しいのはあなたの秘密だけ:LangGrinch が LangChain を攻撃(CVE-2025-68664) All I Want for Xmas Is Your Secrets: LangGrinch Hits LangChain (CVE-2025-68664) https://t.co/C7qlAxJHRf 2025-12-26 05:00:08 +0900
@hackernewsj
25 Dec 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ LangGrinch (CVE-2025-68664) vole vos secrets LangChain — êtes-vous exposé ? Un bug de sérialisation dans langchain-core permet à une sortie LLM malveillante d’être réhydratée en objet. Risque : extraction de variables d’environnement et instanciation d’obje
@Eremas8
25 Dec 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-68664 (CVSS 9.3): LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs LangChain is vulnerable to serialization injection. Untrusted data with 'lc' keys can be deserialized as malicious objects, enabling secret extraction vi
@zoomeye_team
25 Dec 2025
5130 Impressions
12 Retweets
71 Likes
27 Bookmarks
1 Reply
0 Quotes
LangChain serialization injection (CVE-2025-68664) allows secret extraction via `dumps/loads` APIs. Upgrade to 2e0bed6a21610618b7040cebc6b3b927e120a51a. #LangChain #Security #AI https://t.co/r9px0d5XW5
@pulsepatchio
24 Dec 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CRITICAL: CVE-2025-68664 hits LangChain (<=1.2.4, <0.3.81)! Untrusted deserialization flaw risks code execution & data leaks. Patch to 1.2.5/0.3.81 ASAP! 🔒 Details: https://t.co/TwaZnkzo1T #OffSeq #LangChain... https://t.co/yeS4HSDBT9
@offseq
24 Dec 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes