CVE-2025-65106 — HIGH AI Security Vulnerability

Q: Is CVE-2025-65106 actively exploited?

No confirmed active exploitation of CVE-2025-65106 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-65106?

1. PATCH: Upgrade langchain-core to 1.0.7 (1.x branch) or 0.3.80 (0.3.x branch) immediately — patches are available. 2. AUDIT: Inventory all LangChain integrations and identify any code path where untrusted input reaches ChatPromptTemplate or related classes as a template *string* (not a template *variable*). 3. WORKAROUND (if patching is delayed): Enforce system-defined template strings only; user input must only fill named variables via pre-validated inputs — never pass raw user input as the template string itself. 4. DETECT: Review application logs for template syntax patterns in user inputs ({__class__}, {__mro__}, {__subclasses__}, {__globals__}); add WAF or input validation rules to block Python object traversal patterns. 5. VERIFY: After patching, re-test all user-facing prompt customization flows to confirm template injection is no longer triggerable.

Q: What systems are affected by CVE-2025-65106?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM application builders, prompt management systems, chatbot platforms.

Q: What is the CVSS score for CVE-2025-65106?

No CVSS score has been assigned yet.

CISO Take

If your organization uses LangChain and exposes prompt template string customization to end users or external inputs, patch immediately to langchain-core 1.0.7 or 0.3.80. The critical distinction: this only affects apps that allow users to define template *structure*, not just fill template *variables* — audit your LangChain integrations to determine actual exposure before assuming you are safe. Template injection in LangChain can expose Python internals and potentially enable remote code execution, making this a high-priority patch for any multi-tenant or user-facing LLM application.

Risk Assessment

High risk for organizations running LangChain-based applications that accept user-defined template strings. Attack surface is narrower than a universal LangChain vulnerability — it requires the application to expose template string customization, not just variable substitution. However, organizations building AI agents, chatbot builders, or prompt customization platforms on LangChain are directly at risk. EPSS of 0.00086 suggests no active widespread exploitation yet, but SSTI-class vulnerabilities are well-understood by attackers and trivial to weaponize once the vulnerability mechanics are public. Not in CISA KEV, but LangChain's prevalence across AI production systems elevates aggregate organizational risk significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain-core	pip	>= 1.0.0, <= 1.0.6	`1.0.7`
135.7K OpenSSF 6.5 4.3K dependents Pushed 7d ago 88% patched ~20d to patch Full package profile →

Do you use langchain-core? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.1%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

5 steps

PATCH

Upgrade langchain-core to 1.0.7 (1.x branch) or 0.3.80 (0.3.x branch) immediately — patches are available.
AUDIT

Inventory all LangChain integrations and identify any code path where untrusted input reaches ChatPromptTemplate or related classes as a template *string* (not a template *variable*).
WORKAROUND (if patching is delayed): Enforce system-defined template strings only; user input must only fill named variables via pre-validated inputs — never pass raw user input as the template string itself.
DETECT

Review application logs for template syntax patterns in user inputs ({__class__}, {__mro__}, {__subclasses__}, {__globals__}); add WAF or input validation rules to block Python object traversal patterns.
VERIFY

After patching, re-test all user-facing prompt customization flows to confirm template injection is no longer triggerable.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Prompt Injection Code Execution Data Extraction Framework Agent AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051.000 - Direct AML.T0053 - AI Agent Tool Invocation AML.T0057 - LLM Data Leakage AML.T0093 - Prompt Infiltration via Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - Risk assessment for AI systems A.9.2 - AI System Testing and Validation A.9.4 - AI system operation and monitoring

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk management MANAGE 2.2 - Mechanisms to sustain AI risk management activities over the AI system lifecycle MEASURE 2.5 - AI Risk and Trustworthiness Measurement

OWASP LLM Top 10

LLM01:2025 - Prompt Injection LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2025-65106?

If your organization uses LangChain and exposes prompt template string customization to end users or external inputs, patch immediately to langchain-core 1.0.7 or 0.3.80. The critical distinction: this only affects apps that allow users to define template *structure*, not just fill template *variables* — audit your LangChain integrations to determine actual exposure before assuming you are safe. Template injection in LangChain can expose Python internals and potentially enable remote code execution, making this a high-priority patch for any multi-tenant or user-facing LLM application.

Is CVE-2025-65106 actively exploited?

No confirmed active exploitation of CVE-2025-65106 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-65106?

1. PATCH: Upgrade langchain-core to 1.0.7 (1.x branch) or 0.3.80 (0.3.x branch) immediately — patches are available. 2. AUDIT: Inventory all LangChain integrations and identify any code path where untrusted input reaches ChatPromptTemplate or related classes as a template *string* (not a template *variable*). 3. WORKAROUND (if patching is delayed): Enforce system-defined template strings only; user input must only fill named variables via pre-validated inputs — never pass raw user input as the template string itself. 4. DETECT: Review application logs for template syntax patterns in user inputs ({__class__}, {__mro__}, {__subclasses__}, {__globals__}); add WAF or input validation rules to block Python object traversal patterns. 5. VERIFY: After patching, re-test all user-facing prompt customization flows to confirm template injection is no longer triggerable.

What systems are affected by CVE-2025-65106?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM application builders, prompt management systems, chatbot platforms.

What is the CVSS score for CVE-2025-65106?

No CVSS score has been assigned yet.

Technical Details

NVD Description

LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7.

Exploitation Scenario

An attacker targeting a LangChain-based AI chatbot builder — a common SaaS product — where end users create custom AI assistants with custom system prompts. The attacker creates a free account and, in the 'Custom System Prompt' field, enters a template string such as: 'You are helpful. {system.__class__.__mro__[1].__subclasses__()}'. The vulnerable ChatPromptTemplate processes this as live Python template syntax, returning internal class hierarchy data in the rendered prompt output. The attacker iterates to locate os.environ access, extracting Stripe API keys, LLM API keys, and database credentials embedded in server environment variables. In a targeted scenario against an enterprise deployment, this pivot grants access to the underlying infrastructure, compromising multiple tenant environments from a single unprivileged account.