AI Threat Alert
CVE-2025-68665: langchain.js: Deserialization enables RCE
CRITICAL CISA: TRACK*CVE-2025-68665 is a critical deserialization injection in LangChain JS (CVSS 9.1) requiring zero authentication and zero user interaction — patch immediately. Any LangChain JS application that processes user-controlled input through kwargs is potentially exploitable for arbitrary object instantiation, which can escalate to RCE or data exfiltration. Upgrade @langchain/core to ≥0.3.80 or ≥1.1.8, and langchain to ≥0.3.37 or ≥1.2.3 before end of day.
What is the risk?
CRITICAL. The CVSS 9.1 rating reflects network-accessible exploitation with no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N). Deserialization vulnerabilities in AI frameworks are particularly severe because LangChain is deeply integrated into agent pipelines, RAG backends, and LLM-powered APIs that routinely accept untrusted external input. The 'lc' key confusion attack is low-complexity to craft once understood. Exposure is broad: any public-facing LangChain JS application is at risk. No confirmed in-the-wild exploitation as of publication date, but the simplicity of the attack vector (crafted JSON payload) makes weaponization straightforward.
What systems are affected?
How severe is it?
What is the attack surface?
What should I do?
5 steps-
PATCH
Upgrade @langchain/core to ≥0.3.80 (stable) or ≥1.1.8 (v1 branch); upgrade langchain package to ≥0.3.37 or ≥1.2.3. Verify via package.json and lock files.
-
AUDIT
Inventory all services using LangChain JS — check CI/CD pipelines, serverless functions, and containerized microservices.
-
WORKAROUND (if patch not immediately possible): Sanitize or reject user-controlled input containing top-level 'lc' keys before it reaches LangChain serialization methods. Implement input validation middleware.
-
DETECT
Add WAF/API gateway rules to flag requests with JSON payloads containing 'lc' key structures in unexpected positions. Monitor LangChain application logs for deserialization errors or unexpected object types.
-
VERIFY
Review commit e5063f9 to understand the exact sanitization applied and validate your patch is complete.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-68665?
CVE-2025-68665 is a critical deserialization injection in LangChain JS (CVSS 9.1) requiring zero authentication and zero user interaction — patch immediately. Any LangChain JS application that processes user-controlled input through kwargs is potentially exploitable for arbitrary object instantiation, which can escalate to RCE or data exfiltration. Upgrade @langchain/core to ≥0.3.80 or ≥1.1.8, and langchain to ≥0.3.37 or ≥1.2.3 before end of day.
Is CVE-2025-68665 actively exploited?
No confirmed active exploitation of CVE-2025-68665 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-68665?
1. PATCH: Upgrade @langchain/core to ≥0.3.80 (stable) or ≥1.1.8 (v1 branch); upgrade langchain package to ≥0.3.37 or ≥1.2.3. Verify via package.json and lock files. 2. AUDIT: Inventory all services using LangChain JS — check CI/CD pipelines, serverless functions, and containerized microservices. 3. WORKAROUND (if patch not immediately possible): Sanitize or reject user-controlled input containing top-level 'lc' keys before it reaches LangChain serialization methods. Implement input validation middleware. 4. DETECT: Add WAF/API gateway rules to flag requests with JSON payloads containing 'lc' key structures in unexpected positions. Monitor LangChain application logs for deserialization errors or unexpected object types. 5. VERIFY: Review commit e5063f9 to understand the exact sanitization applied and validate your patch is complete.
What systems are affected by CVE-2025-68665?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM application backends, multi-turn conversational APIs, serverless AI functions.
What is the CVSS score for CVE-2025-68665?
CVE-2025-68665 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.73%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0025 Exfiltration via Cyber Means AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0080 AI Agent Context Poisoning Compliance Controls Affected
What are the technical details?
Original Advisory
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3
Exploitation Scenario
An adversary targeting a LangChain JS-powered chatbot or API crafts a JSON payload containing a nested object with the 'lc' key structure used internally by LangChain (e.g., {"input": {"lc": 1, "type": "constructor", "id": ["langchain", "...TargetClass"], "kwargs": {...}}}). When this user-controlled data flows into LangChain's toJSON() or is passed through JSON.stringify(), the framework treats it as a legitimate serialized LangChain object rather than plain user data. During subsequent deserialization, LangChain instantiates the attacker-specified class with attacker-controlled kwargs. Depending on available gadget classes in the runtime context, this can achieve arbitrary file reads, environment variable exfiltration, or code execution — all via a single crafted HTTP request to a public API endpoint.
Weaknesses (CWE)
CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
- [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
- [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References
- github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62 Patch
- github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8 Release
- github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3 Release
- github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6 Vendor
Timeline
Related Vulnerabilities
CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same package: langchain CVE-2023-34541 9.8 LangChain: RCE via unsafe load_prompt deserialization
Same package: langchain CVE-2023-29374 9.8 LangChain: RCE via prompt injection in LLMMathChain
Same package: langchain CVE-2023-34540 9.8 LangChain: RCE via JiraAPIWrapper crafted input
Same package: langchain CVE-2023-36258 9.8 LangChain: unauthenticated RCE via code injection
Same package: langchain