CVE-2025-68664

Name of the Vulnerable Software and Affected Versions LangChain versions prior to 0.3.81 and 1.2.5

Description LangChain's dumps() and dumpd() functions do not properly escape dictionaries containing 'lc' keys when serializing data. The 'lc' key is used internally by LangChain to identify serialized objects. This allows attackers to inject malicious data that is then treated as legitimate LangChain objects during deserialization, rather than as plain user data. This can lead to secret leakage, including environment variables, and potentially enable remote code execution. The vulnerability is particularly dangerous when LLM responses influence serialized data, as prompt injection can be used to exploit this flaw. The affected functions include dumps(), dumpd(), astream events(version="v1"), Runnable.astream log(), load(), loads(), InMemoryVectorStore.load(), hub.pull, StringRunEvaluatorChain, create lc store, create kv docstore, and MultiVectorRetriever.

Recommendations Update to LangChain version 0.3.81 or 1.2.5 or later. If updating is not immediately possible, restrict the use of the dumps() and dumpd() functions, especially when handling user-controlled data or LLM responses. If you must use these functions, ensure that all serialized data is carefully validated and sanitized before deserialization. Disable the loading of secrets from the environment by setting secrets from env=False. If Jinja2 templates are required, explicitly enable them by setting init validator=None, but only do so if you fully trust the source of the serialized data. When deserializing data, explicitly specify the allowed object types using the allowed objects parameter.