CVE-2025-68665

Name of the Vulnerable Software and Affected Versions LangChain versions prior to 0.3.37 @langchain/core versions prior to 0.3.80 LangChain versions prior to 1.2.3 @langchain/core versions prior to 1.1.8

Description LangChain is a framework designed for building applications powered by Large Language Models (LLMs). A serialization issue exists in the toJSON() method of LangChain JS, impacting versions prior to 0.3.37 and 1.2.3 for LangChain, and prior to 0.3.80 and 1.1.8 for @langchain/core. This issue arises because the method does not properly escape objects containing 'lc' keys when serializing data using JSON.stringify(). The 'lc' key is used internally by LangChain to identify serialized objects. If user-supplied data includes this key structure, it may be incorrectly interpreted as a legitimate LangChain object during deserialization instead of being treated as plain user data. This could potentially lead to unauthorized access or manipulation of data.

Recommendations Update to LangChain version 0.3.37 or later. Update to @langchain/core version 0.3.80 or later. Update to LangChain version 1.2.3 or later. Update to @langchain/core version 1.1.8 or later.