A critical security vulnerability has been discovered in LangChain Core, a foundational Python package essential for building large language model (LLM) applications. The flaw, codenamed “LangGrinch” and identified as CVE-2025-68664, could allow attackers to steal sensitive information and manipulate LLM outputs through prompt injection techniques. The vulnerability carries a high severity rating, with a CVSS score of 9.3 out of 10.0, highlighting the urgent need for developers to address it.
Security researcher Yarden Porat reported the vulnerability on December 4, 2025. The issue lies within LangChain’s `dumps()` and `dumpd()` serialization functions, which fail to properly handle dictionaries containing the internal LangChain key, ‘lc’. When user-controlled data includes this key structure, it is incorrectly interpreted as a legitimate LangChain object during deserialization, opening avenues for malicious exploitation.
Understanding the LangChain Core Vulnerability
The core of the CVE-2025-68664 vulnerability stems from the improper escaping of user-controlled dictionaries that contain the ‘lc’ key. This key is integral to LangChain’s internal serialization format, used to denote specific LangChain objects. When an attacker can influence the serialization process to include this key within arbitrary content, they can force the deserialization of unsafe objects.
“Once an attacker is able to make a LangChain orchestration loop serialize and later deserialize content including an ‘lc’ key, they would instantiate an unsafe arbitrary object, potentially triggering many attacker-friendly paths,” Porat explained. This opens the door to a range of severe security breaches.
Potential Exploitation Avenues
The implications of this serialization injection flaw are significant. Attackers could exploit this to extract sensitive secrets from environment variables, particularly if the `secrets_from_env=True` option (which was previously the default) is enabled during deserialization. This feature is designed to load secrets automatically, making it a prime target for data theft.
Furthermore, the vulnerability allows for the instantiation of classes from pre-approved, trusted namespaces such as `langchain_core`, `langchain`, and `langchain_community`. While these namespaces are generally considered safe, the ability to arbitrarily instantiate classes within them could lead to unforeseen security bypasses. In more extreme scenarios, attackers may achieve arbitrary code execution by leveraging Jinja2 templates, a powerful templating engine that can be misused if not configured securely.
Additionally, the vulnerability extends beyond direct object instantiation. The bug enables the injection of LangChain object structures directly into user-controlled fields like `metadata`, `additional_kwargs`, or `response_metadata` through prompt injection attacks. This means that the very output generated by LLMs could be silently tampered with, serving as a clandestine delivery mechanism for malicious payloads.
Mitigation and Patching Efforts
LangChain maintainers have released patches to address CVE-2025-68664. The updates introduce more restrictive default settings for the `load()` and `loads()` functions. A key addition is the `allowed_objects` parameter, which mandates explicit specification of which classes are permitted for serialization and deserialization. This creates an allowlist approach, significantly reducing the attack surface.
Moreover, Jinja2 templates are now blocked by default in the serialization process, and the `secrets_from_env` option has been set to `False`, disabling automatic secret loading from the environment without explicit user consent. These changes are crucial for preventing the exploitation of the discovered flaws.
The following versions of the `langchain-core` Python package are affected by CVE-2025-68664:
- Versions from 1.0.0 up to, but not including, 1.2.5 (Fixed in 1.2.5)
- Versions prior to 0.3.81 (Fixed in 0.3.81)
It is important to note that a similar serialization injection vulnerability has also been identified in LangChain.js, affecting several npm packages. This related flaw, tracked as CVE-2025-68665 with a CVSS score of 8.6, also results from insufficient escaping of objects with ‘lc’ keys, enabling secret extraction and prompt injection. The affected LangChain.js npm packages and their corresponding fixed versions are:
- `@langchain/core` from 1.0.0 up to, but not including, 1.1.8 (Fixed in 1.1.8)
- `@langchain/core` prior to 0.3.80 (Fixed in 0.3.80)
- `langchain` from 1.0.0 up to, but not including, 1.2.3 (Fixed in 1.2.3)
- `langchain` prior to 0.3.37 (Fixed in 0.3.37)
Organizations utilizing LangChain are strongly advised to update to the patched versions of their respective packages as soon as possible to safeguard against these critical security risks. The common attack vector involves LLM response fields like `additional_kwargs` or `response_metadata`, which can be manipulated via prompt injection during streaming operations. As Yarden Porat highlighted, “LLM output is an untrusted input,” underscoring the need for robust security practices at the intersection of AI and traditional cybersecurity.
The next expected step is for developers and organizations to proactively implement the necessary updates. Ongoing monitoring for any emerging attack vectors exploiting these or similar vulnerabilities in LLM frameworks will be crucial as AI security continues to evolve and present new challenges.