AI Threat Alert
CVE-2025-9556: langchaingo: Jinja2 SSTI allows host filesystem read
CRITICAL PoC AVAILABLE CISA: TRACK*Any Go-based AI application using langchaingo with Jinja2 prompt templates is remotely exploitable with zero credentials required—CVSS 9.8 is accurate. Update langchaingo immediately via the fix in PR #1348; if patching today is not possible, disable template parsing and block Jinja2 control characters ({% %}) at the application boundary. Audit all internal and customer-facing deployments: /etc/passwd is the proof-of-concept target, but environment variable exfiltration of API keys and database credentials is the realistic attacker objective.
Risk Assessment
Critical. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means any network-reachable langchaingo instance is exploitable by an unauthenticated attacker with no specialized skill. The C:H/I:H/A:H triad suggests the attack surface extends beyond simple file read—gonja template directives may enable server-side code execution depending on engine feature exposure. Public-facing AI products and internal developer tooling built on langchaingo carry equivalent risk. Expect automated scanning within days of disclosure given the trivial exploit pattern.
Severity & Risk
Attack Surface
Recommended Action
5 steps-
Patch: Apply the fix from GitHub PR #1348 or update to the patched langchaingo release as the immediate priority.
-
Workaround: If patching is not immediately feasible, disable Jinja2 template parsing entirely and serve static prompt templates only.
-
Input validation: Enforce strict allowlisting at the application boundary—reject any prompt input containing Jinja2 control syntax ({% %}, {{ }}, {# #}) before it reaches the template engine.
-
Detection: Enable host-level file auditing (auditd or equivalent) and alert on access to /etc/passwd, /etc/shadow, .env files, and credential stores from the application process. Review application logs for unexpected file paths in responses.
-
Scope audit: Enumerate all services importing langchaingo and confirm which pass user-controlled content to template constructors—prioritize public-facing services.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-9556?
Any Go-based AI application using langchaingo with Jinja2 prompt templates is remotely exploitable with zero credentials required—CVSS 9.8 is accurate. Update langchaingo immediately via the fix in PR #1348; if patching today is not possible, disable template parsing and block Jinja2 control characters ({% %}) at the application boundary. Audit all internal and customer-facing deployments: /etc/passwd is the proof-of-concept target, but environment variable exfiltration of API keys and database credentials is the realistic attacker objective.
Is CVE-2025-9556 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2025-9556, increasing the risk of exploitation.
How to fix CVE-2025-9556?
1. Patch: Apply the fix from GitHub PR #1348 or update to the patched langchaingo release as the immediate priority. 2. Workaround: If patching is not immediately feasible, disable Jinja2 template parsing entirely and serve static prompt templates only. 3. Input validation: Enforce strict allowlisting at the application boundary—reject any prompt input containing Jinja2 control syntax ({% %}, {{ }}, {# #}) before it reaches the template engine. 4. Detection: Enable host-level file auditing (auditd or equivalent) and alert on access to /etc/passwd, /etc/shadow, .env files, and credential stores from the application process. Review application logs for unexpected file paths in responses. 5. Scope audit: Enumerate all services importing langchaingo and confirm which pass user-controlled content to template constructors—prioritize public-facing services.
What systems are affected by CVE-2025-9556?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application backends, RAG pipelines, chatbot infrastructure.
What is the CVSS score for CVE-2025-9556?
CVE-2025-9556 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.08%.
Technical Details
NVD Description
Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3. Gonja supports include and extends syntax to read files, which leads to a server side template injection vulnerability within langchaingo, allowing an attacker to insert a statement into a prompt to read the "etc/passwd" file.
Exploitation Scenario
An adversary interacting with a public-facing AI chatbot or API built on langchaingo submits a prompt containing Jinja2 file-include directives, for example '{% include "/etc/passwd" %}' or '{% extends "/proc/self/environ" %}'. The gonja v1.5.3 template engine processes the input and reads the referenced file from the host filesystem. File contents are injected into the prompt passed to the LLM or returned directly in the API response. The attacker extracts username lists, then pivots to reading application configuration files and environment variables to recover database connection strings, Stripe API keys, or cloud provider credentials. With those credentials, the attacker achieves lateral movement into the AI backend infrastructure, downstream databases, or connected SaaS services.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Extraction CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Code Execution CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Data Extraction CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Code Execution