CVE-2025-68664— LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

可信数据的反序列化

LangChain 代码问题漏洞

LangChain是LangChain开源的一个用于开发由大型语言模型 （LLM） 提供支持的应用程序的框架。 LangChain 0.3.81之前版本和1.2.5之前版本存在代码问题漏洞，该漏洞源于序列化注入，可能导致反序列化时执行任意代码。

N/A

N/A