A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection.
LangChain Core (i.e., langchain-core) is a core Python package that’s part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building applications powered by LLMs.
The vulnerability, tracked as CVE-2025-68664, carries a CVSS score of 9.3 out of 10.0. Security researcher Yarden Porat has been credited with reporting the vulnerability on December 4, 2025. It has been codenamed LangGrinch.
“A serialization injection vulnerability exists in LangChain’s dumps() and dumpd() functions,” the project maintainers said in an advisory. “The functions do not escape dictionaries with ‘lc’ keys when serializing free-form dictionaries.”
“The ‘lc’ key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.”
According to Cyata researcher Porat, the crux of the problem has to do with the two functions failing to escape user-controlled dictionaries containing “lc” keys. The “lc” marker represents LangChain objects in the framework’s internal serialization format.
“So once an attacker is able to make a LangChain orchestration loop serialize and later deserialize content including an ‘lc’ key, they would instantiate an unsafe arbitrary object, potentially triggering many attacker-friendly paths,” Porat said.
This could have various outcomes, including secret extraction from environment variables when deserialization is performed with “secrets_from_env=True” (previously set by default), instantiating classes within pre-approved trusted namespaces, such as langchain_core, langchain, and langchain_community, and potentially even leading to arbitrary code execution via Jinja2 templates.
What’s more, the escaping bug enables the injection of LangChain object structures through user-controlled fields like metadata, additional_kwargs, or response_metadata via prompt injection.
The patch released by LangChain introduces new restrictive defaults in load() and loads() by means of an allowlist parameter “allowed_objects” that allows users to specify which classes can be serialized/deserialized. In addition, Jinja2 templates are blocked by default, and the “secrets_from_env” option is now set to “False” to disable automatic secret loading from the environment.
The following versions of langchain-core are affected by CVE-2025-68664 –
- >= 1.0.0, < 1.2.5 (Fixed in 1.2.5)
- < 0.3.81 (Fixed in 0.3.81)
It’s worth noting that there exists a similar serialization injection flaw in LangChain.js that also stems from not properly escaping objects with “lc” keys, thereby enabling secret extraction and prompt injection. This vulnerability has been assigned the CVE identifier CVE-2025-68665 (CVSS score: 8.6).
It impacts the following npm packages –
- @langchain/core >= 1.0.0, < 1.1.8 (Fixed in 1.1.8)
- @langchain/core < 0.3.80 (Fixed in 0.3.80)
- langchain >= 1.0.0, < 1.2.3 (Fixed in 1.2.3)
- langchain < 0.3.37 (Fixed in 0.3.37)
In light of the criticality of the vulnerability, users are advised to update to a patched version as soon as possible for optimal protection.
“The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations,” Porat said. “This is exactly the kind of ‘AI meets classic security’ intersection where organizations get caught off guard. LLM output is an untrusted input.”
