A critical security vulnerability has been uncovered in LangChain Core, raising alarms about potential risks to sensitive secrets. This flaw can be exploited to manipulate large language model (LLM) responses through a technique known as serialization injection.
Details of the Vulnerability
The issue, designated as CVE-2025-68664, has been rated with a CVSS score of 9.3 out of 10. Security researcher Yarden Porat reported this vulnerability on December 4, 2025. Dubbed LangGrinch, it primarily affects the Python package known for its core functionality within the LangChain ecosystem.
This vulnerability lies within LangChain’s dumps() and dumpd() functions, which fail to properly escape dictionaries containing ‘lc’ keys when processing free-form dictionaries. These ‘lc’ ke…
A critical security vulnerability has been uncovered in LangChain Core, raising alarms about potential risks to sensitive secrets. This flaw can be exploited to manipulate large language model (LLM) responses through a technique known as serialization injection.
Details of the Vulnerability
The issue, designated as CVE-2025-68664, has been rated with a CVSS score of 9.3 out of 10. Security researcher Yarden Porat reported this vulnerability on December 4, 2025. Dubbed LangGrinch, it primarily affects the Python package known for its core functionality within the LangChain ecosystem.
This vulnerability lies within LangChain’s dumps() and dumpd() functions, which fail to properly escape dictionaries containing ‘lc’ keys when processing free-form dictionaries. These ‘lc’ keys denote internal LangChain objects during serialization.
Mechanics of the Flaw
- The flaw allows user-controlled data with ‘lc’ keys to be treated as legitimate LangChain objects upon deserialization.
- This could lead to various outcomes, including unauthorized extraction of secrets from environment variables.
- Attackers could instantiate classes within trusted namespaces, which might lead to further unauthorized actions, including arbitrary code execution.
Porat emphasizes that the root of the problem lies in how user-controlled dictionaries are handled during serialization, allowing malicious actors to manipulate the LLM orchestration loop. Once an attacker secures control over these keys, they can initiate unsafe object instantiation.
Impact and Recommendations
The flaw also highlights similar vulnerabilities in LangChain.js, specifically under the CVE identifier CVE-2025-68665, which has a CVSS score of 8.6. Users of the affected npm packages, including @langchain/core >= 1.0.0, are urged to act quickly to mitigate risks.
To counter this security flaw, LangChain has introduced several key patches:
- New restrictive defaults in
load()andloads()functions include an allowlist parameter calledallowed_objects. - By default, Jinja2 templates have been blocked.
- The option
secrets_from_envhas been disabled by default to prevent automatic secret loading from the environment.
Security experts recommend updating to the patched versions immediately to ensure optimal protection against potential attacks. Porat warns that the most common attack vectors involve LLM response fields, which can be easily manipulated via prompt injection.
As the landscape of AI technologies evolves, understanding and addressing these security vulnerabilities is crucial for all organizations leveraging LLMs. It serves as a stark reminder that even sophisticated AI models can present significant security challenges if not properly safeguarded.