A severe security vulnerability has been identified in LangChain Core, enabling attackers to extract secrets and manipulate LLM responses through prompt injection. Users are urged to update to the latest patched versions to mitigate potential exploitation. #LangChainCore #CVE-2025-68664
Keypoints
- A critical serialization injection flaw exists in LangChain Coreβs dumps() and dumpd() functions.
- The vulnerability allows unauthorized object instantiation and potential code execution via deserialization.
- Attack vectors include prompt injection through LLM response fields like metadata and additional_kwargs.
- Updates have been released to introduce allowlist restrictions and disable automatic secret loading.
- Similar vulnerabilities are present in LangChain.js, affecting related npm packages.
Read More: https://thehackernews.com/2025/12/critical-langchain-core-vulnerability.html