U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Artificial Intelligence

LangChain core vulnerability allows prompt injection and data exposure

A critical flaw in LangChain Core could allow attackers to steal sensitive secrets and manipulate LLM responses via prompt injection. LangChain Core (langchain-core) is a key Python package in the LangChain ecosystem that provides core interfaces and model-agnostic tools for building LLM-based applications. A critical vulnerability, tracked as CVE-2025-68664 (CVSS score of 9.3), affects the […]

LangChain

A critical flaw in LangChain Core could allow attackers to steal sensitive secrets and manipulate LLM responses via prompt injection.

LangChain Core (langchain-core) is a key Python package in the LangChain ecosystem that provides core interfaces and model-agnostic tools for building LLM-based applications. A critical vulnerability, tracked as CVE-2025-68664 (CVSS score of 9.3), affects the package. Security researcher Yarden Porat reported the issue on December 4, 2025, and named it LangGrinch.

“A serialization injection vulnerability exists in LangChain’s dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.” reads the advisory.

The vulnerability stemmed from the functions dumps() and dumpd(), which do not escape user-controlled dictionaries containing “lc” keys. When deserialized with load() or loads(), this data was treated as valid LangChain objects instead of user input. This allowed attackers to inject malicious object structures through fields like metadata or response data. The flaw also enabled instantiation of Serializable classes within trusted LangChain namespaces, including those with side effects in initialization, though it could not load arbitrary external classes.

Cyata researcher Yarden Porat said the issue stems from two functions that failed to escape user-controlled dictionaries containing “lc” keys, which mark LangChain objects in its serialization format. If attackers force a LangChain loop to serialize and later deserialize such data, unsafe objects may be instantiated.

“So once an attacker is able to make a LangChain orchestration loop serialize and later deserialize content including an ‘lc’ key, they would instantiate an unsafe arbitrary object, potentially triggering many attacker-friendly paths.” wrote Porat.

This can lead to secret leakage from environment variables, instantiation of classes in trusted namespaces like langchain_core or langchain_community, and potentially code execution via Jinja2 templates. The bug also allows object injection through user-controlled fields such as metadata or response data using prompt injection.

Porat pointed out that this vulnerability is especially serious because it affects langchain-core itself, not a peripheral tool or edge case. The vulnerable dumps() and dumpd() APIs sit at the framework’s core, which is widely deployed at massive scale, with hundreds of millions of installs globally. A single prompt can trigger the flaw indirectly, as LLM outputs may influence metadata that later gets serialized and deserialized during normal operations. This makes exploitation subtle and far-reaching. Patches are available in versions 1.2.5 and 0.3.81, and users should update immediately.

Users are urged to address the flaw as soon as possible.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, LangChain)