CVE-2025-68664
Published: 23 December 2025
Description
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries.…
more
The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the serialization injection flaw in LangChain's dumps() and dumpd() functions via patching to versions 0.3.81 or 1.2.5.
Validates user-controlled inputs prior to serialization to block malicious dictionaries containing 'lc' keys that could be misinterpreted as LangChain objects during deserialization.
Scans for known vulnerabilities like CVE-2025-68664 in LangChain components to identify and prioritize remediation of the deserialization injection issue.
Security SummaryAI
CVE-2025-68664 is a serialization injection vulnerability in LangChain, an open-source framework for building agents and LLM-powered applications. The issue affects versions prior to 0.3.81 and 1.2.5, specifically in the dumps() and dumpd() functions, which fail to properly escape dictionaries containing 'lc' keys during serialization of free-form dictionaries. The 'lc' key is used internally by LangChain to denote serialized objects, leading to user-controlled data being misinterpreted as legitimate LangChain objects upon deserialization. This flaw corresponds to CWE-502 (Deserialization of Untrusted Data) and carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting input data containing dictionaries structured with 'lc' keys, attackers can inject serialized payloads that are treated as valid LangChain objects during deserialization, potentially enabling high confidentiality impacts such as unauthorized access to sensitive data, alongside limited integrity effects, due to the scope change from the deserialization process.
The vulnerability has been addressed in LangChain versions 0.3.81 and 1.2.5, as detailed in GitHub commits 5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8 and d9ec4c5cc78960abd37da79b0250f5642e6f0ce6, along with pull requests 34455 and 34458. Security practitioners should upgrade to these patched versions to mitigate the issue, with the release available at the langchain-core 0.3.81 tag.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- LangChain is explicitly described as a framework for building agents and LLM-powered applications, directly matching the 'AI Agent Protocols and Integrations' category.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The serialization injection vulnerability allows attackers to craft user-controlled dictionaries with 'lc' keys that are deserialized as legitimate LangChain objects, facilitating exploitation for defense evasion (T1211) via in-memory object instantiation and reflective code loading (T1620) without disk artifacts.