The article analyzes CVE-2025-68664 (LangGrinch), a high-severity serialization injection vulnerability in the langchain-core Python package that can enable secret extraction, unintended class instantiation, and malicious side effects via an unescaped reserved lc marker. It outlines mitigation steps—upgrade to patched versions, use Microsoft Defender for Cloud and Defender XDR for discovery and hunting, and integrate Defender workflows with GitHub for faster remediation. #LangGrinch #LangChain
Keypoints
- AI agents, orchestrators, and autonomous workflows expand the application attack surface by acting as active participants that make decisions, invoke tools, and interact with other systems.
- Security must extend beyond prompt protections to the AI application supply chain, including frameworks, SDKs, and orchestration layers used to build and run agentic systems.
- CVE-2025-68664 (LangGrinch) is a serialization injection vulnerability in langchain-core caused by improper handling of the reserved lc marker during dumps()/dumpd(), allowing malicious object reconstruction.
- If exploited, the flaw can expose environment variables, instantiate unintended classes, and trigger side effects during object initialization; it carries a CVSS score of 9.3.
- Immediate mitigations include upgrading langchain-core to 0.3.81+ (for 0.3.x) or 1.2.5+ (for 1.x) and reviewing deployments for vulnerable instances.
- Microsoft Defender for Cloud (CSPM/Containers/Servers) and Defender XDR provide discovery, vulnerability scanning, hunting (KQL), and remediation workflows, including creating GitHub issues and using Copilot for fixes.
- Defender scanners have been updated to identify containers and VMs running vulnerable langchain-core versions, and hunting should look for Python processes accessing environment variables or making unexpected network connections after LLM interactions.
MITRE Techniques
- [None ] No MITRE ATT&CK techniques were explicitly named in the article; the report describes insecure deserialization and supply chain risks but does not cite specific ATT&CK IDs or technique names.
Indicators of Compromise
- [CVE ] Vulnerability identifier – CVE-2025-68664
- [Software package ] Affected package name and context – langchain-core (Python package)
- [Version ] Vulnerable and fixed versions – vulnerable ranges in 0.3.x and 1.x; update to 0.3.81 or later, 1.2.5 or later
- [Function / Marker ] Code-level indicators referenced in advisory – dumps(), dumpd(), reserved key “lc”
- [Hunting query / Inventory ] Defender XDR / KQL search context – DeviceTvmSoftwareInventory entries for SoftwareName has “langchain” and version filters (example KQL snippet shown in article)