AI Threat Alert AI Threat Alert

CVE-2025-68664: langchain-core: Deserialization enables RCE

GHSA-c67j-w6g6-q2cm HIGH PoC AVAILABLE CISA: TRACK*
Published December 23, 2025
CISO Take

If your LangChain applications pass user-controlled data into LangChain's native dumps()/dumpd() serialization functions, patch to langchain-core 0.3.81+ or 1.2.5+ immediately. An unauthenticated remote attacker can inject crafted 'lc' key structures that get deserialized as legitimate LangChain objects, bypassing the untrusted-data boundary and enabling confidentiality breaches or integrity manipulation. LangChain's ubiquity across agentic and RAG architectures makes blast radius organization-wide.

Risk Assessment

High risk for organizations where LangChain processes external input through its serialization layer. CVSS 8.2 with no authentication, no user interaction, and low attack complexity makes this accessible to motivated attackers. EPSS of 0.00039 indicates no observed active exploitation at publication, but CWE-502 deserialization attack patterns are well understood and weaponized routinely. Exposure is highest in multi-tenant LangChain APIs, agentic systems persisting state via LangChain serialization, and RAG pipelines that serialize retrieved external content alongside user queries.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langchain-core pip >= 1.0.0, < 1.2.5 1.2.5
135.7K OpenSSF 6.5 4.3K dependents Pushed 7d ago 88% patched ~20d to patch Full package profile →
langchain_core pip No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Severity & Risk

CVSS 3.1
8.2 / 10
EPSS
2.3%
chance of exploitation in 30 days
Higher than 85% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I Low
A None

Recommended Action

1 step

  1. 1) PATCH NOW: Upgrade langchain-core to >= 0.3.81 (0.x branch) or >= 1.2.5 (1.x branch). Verify with 'pip show langchain-core'. 2) WORKAROUND (if patching blocked): Reject or sanitize any user-controlled input containing top-level 'lc' keys before it reaches dumps()/dumpd(). Treat 'lc' as a reserved key in all input validation schemas. 3) CODE AUDIT: Grep codebase for 'dumps(' and 'dumpd(' calls and trace data provenance—flag any path where external/user data reaches these functions without sanitization. 4) DETECTION: Monitor for unexpected deserialization errors, unusual LangChain class instantiation in application logs, and anomalous data access patterns post-deserialization. 5) CONTAINER/CI: Rebuild any Docker images pinned to vulnerable langchain-core versions and update dependency lock files.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Data Extraction Framework Agent AML.T0010.001 AML.T0018.002 AML.T0049 AML.T0053 AML.T0080 AML.T0083

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - AI supply chain management A.6.1.5 - AI risk assessment A.8.4 - Information security controls for AI systems A.9.2 - Information security risk treatment
NIST AI RMF
GOVERN 1.1 - Policies and processes for AI risk management MANAGE 2.2 - Mechanisms are in place and applied to respond to, recover from, and communicate about AI risks
OWASP LLM Top 10
LLM02:2025 - Insecure Output Handling LLM05 - Supply Chain Vulnerabilities LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-68664?

If your LangChain applications pass user-controlled data into LangChain's native dumps()/dumpd() serialization functions, patch to langchain-core 0.3.81+ or 1.2.5+ immediately. An unauthenticated remote attacker can inject crafted 'lc' key structures that get deserialized as legitimate LangChain objects, bypassing the untrusted-data boundary and enabling confidentiality breaches or integrity manipulation. LangChain's ubiquity across agentic and RAG architectures makes blast radius organization-wide.

Is CVE-2025-68664 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-68664, increasing the risk of exploitation.

How to fix CVE-2025-68664?

1) PATCH NOW: Upgrade langchain-core to >= 0.3.81 (0.x branch) or >= 1.2.5 (1.x branch). Verify with 'pip show langchain-core'. 2) WORKAROUND (if patching blocked): Reject or sanitize any user-controlled input containing top-level 'lc' keys before it reaches dumps()/dumpd(). Treat 'lc' as a reserved key in all input validation schemas. 3) CODE AUDIT: Grep codebase for 'dumps(' and 'dumpd(' calls and trace data provenance—flag any path where external/user data reaches these functions without sanitization. 4) DETECTION: Monitor for unexpected deserialization errors, unusual LangChain class instantiation in application logs, and anomalous data access patterns post-deserialization. 5) CONTAINER/CI: Rebuild any Docker images pinned to vulnerable langchain-core versions and update dependency lock files.

What systems are affected by CVE-2025-68664?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LangChain-based APIs, chatbot backends, model serving.

What is the CVSS score for CVE-2025-68664?

CVE-2025-68664 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 2.26%.

Technical Details

NVD Description

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Exploitation Scenario

An adversary targeting a LangChain-backed API that persists user session state sends a crafted JSON body containing a dictionary with 'lc' key structure mimicking LangChain's internal serialization schema—e.g., {'lc': 1, 'type': 'constructor', 'id': ['langchain_core', 'runnables', 'RunnableLambda'], 'kwargs': {<malicious_payload>}}. The application serializes this via dumps() and later deserializes it. LangChain's deserializer treats the crafted structure as a legitimate LangChain object and instantiates it, executing attacker-controlled logic in the application process context. No credentials, no prior access, no user interaction required—any network-reachable input path touching the serialization layer is attack surface.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

Timeline

Published
December 23, 2025
Last Modified
January 13, 2026
First Seen
December 23, 2025

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed