CVE-2025-68664

CVE-2025-68664 is a critical-severity insecure deserialization vulnerability in langchain-core (pip), affecting versions >= 1.0.0, < 1.2.5. It is fixed in 1.2.5, 0.3.81.

Summary

A serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data.

Attack surface

The core vulnerability was in dumps() and dumpd(): these functions failed to escape user-controlled dictionaries containing 'lc' keys. When this unescaped data was later deserialized via load() or loads(), the injected structures were treated as legitimate LangChain objects rather than plain user data.

This escaping bug enabled several attack vectors:

  1. Injection via user data: Malicious LangChain object structures could be injected through user-controlled fields like metadata, additional_kwargs, or response_metadata
  2. Class instantiation within trusted namespaces: Injected manifests could instantiate any Serializable subclass, but only within the pre-approved trusted namespaces (langchain_core, langchain, langchain_community). This includes classes with side effects in __init__ (network calls, file operations, etc.). Note that namespace validation was already enforced before this patch, so arbitrary classes outside these trusted namespaces could not be instantiated.

Security hardening

This patch fixes the escaping bug in dumps() and dumpd() and introduces new restrictive defaults in load() and loads(): allowlist enforcement via allowed_objects="core" (restricted to serialization mappings), secrets_from_env changed from True to False, and default Jinja2 template blocking via init_validator. These are breaking changes for some use cases.

Who is affected?

Applications are vulnerable if they:

  1. Use astream_events(version="v1"), The v1 implementation internally uses vulnerable serialization. Note: astream_events(version="v2") is not vulnerable.
  2. Use Runnable.astream_log(), This method internally uses vulnerable serialization for streaming outputs.
  3. Call dumps() or dumpd() on untrusted data, then deserialize with load() or loads(), Trusting your own serialization output makes you vulnerable if user-controlled data (e.g., from LLM responses, metadata fields, or user inputs) contains 'lc' key structures.
  4. Deserialize untrusted data with load() or loads(), Directly deserializing untrusted data that may contain injected 'lc' structures.
  5. Use RunnableWithMessageHistory, Internal serialization in message history handling.
  6. Use InMemoryVectorStore.load() to deserialize untrusted documents.
  7. Load untrusted generations from cache using langchain-community caches.
  8. Load untrusted manifests from the LangChain Hub via hub.pull.
  9. Use StringRunEvaluatorChain on untrusted runs.
  10. Use create_lc_store or create_kv_docstore with untrusted documents.
  11. Use MultiVectorRetriever with byte stores containing untrusted documents.
  12. Use LangSmithRunChatLoader with runs containing untrusted messages.

The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.

Exploit example

from langchain_core.load import dumps, load
import os

# Attacker injects secret structure into user-controlled data
attacker_dict = {
    "user_data": {
        "lc": 1,
        "type": "secret",
        "id": ["OPENAI_API_KEY"]
    }
}

serialized = dumps(attacker_dict)  # Bug: does NOT escape the 'lc' key

os.environ["OPENAI_API_KEY"] = "sk-secret-key-12345"
deserialized = load(serialized, secrets_from_env=True)

print(deserialized["user_data"])  # "sk-secret-key-12345" - SECRET LEAKED!

Security hardening changes (breaking changes)

This patch introduces three breaking changes to load() and loads():

  1. New allowed_objects parameter (defaults to 'core'): Enforces allowlist of classes that can be deserialized. The 'all' option corresponds to the list of objects specified in mappings.py while the 'core' option limits to objects within langchain_core. We recommend that users explicitly specify which objects they want to allow for serialization/deserialization.
  2. secrets_from_env default changed from True to False: Disables automatic secret loading from environment
  3. New init_validator parameter (defaults to default_init_validator): Blocks Jinja2 templates by default

Migration guide

No changes needed for most users

If you're deserializing standard LangChain types (messages, documents, prompts, trusted partner integrations like ChatOpenAI, ChatAnthropic, etc.), your code will work without changes:

from langchain_core.load import load

# Uses default allowlist from serialization mappings
obj = load(serialized_data)

For custom classes

If you're deserializing custom classes not in the serialization mappings, add them to the allowlist:

from langchain_core.load import load
from my_package import MyCustomClass

# Specify the classes you need
obj = load(serialized_data, allowed_objects=[MyCustomClass])

For Jinja2 templates

Jinja2 templates are now blocked by default because they can execute arbitrary code. If you need Jinja2 templates, pass init_validator=None:

from langchain_core.load import load
from langchain_core.prompts import PromptTemplate

obj = load(
    serialized_data,
    allowed_objects=[PromptTemplate],
    init_validator=None
)

[!WARNING]
Only disable init_validator if you trust the serialized data. Jinja2 templates can execute arbitrary Python code.

For secrets from environment

secrets_from_env now defaults to False. If you need to load secrets from environment variables:

from langchain_core.load import load

obj = load(serialized_data, secrets_from_env=True)

Credits

  • Dumps bug was reported by @yardenporat
  • Changes for security hardening due to findings from @0xn3va and @VladimirEliTokarev

Impact

Attackers who control serialized data can extract environment variable secrets by injecting {"lc": 1, "type": "secret", "id": ["ENV_VAR"]} to load environment variables during deserialization (when secrets_from_env=True, which was the old default). They can also instantiate classes with controlled parameters by injecting constructor structures to instantiate any class within trusted namespaces with attacker-controlled parameters, potentially triggering side effects such as network calls or file operations.

Key severity factors:

  • Affects the serialization path - applications trusting their own serialization output are vulnerable
  • Enables secret extraction when combined with secrets_from_env=True (the old default)
  • LLM responses in additional_kwargs can be controlled via prompt injection

Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.

CVE-2025-68664 has a CVSS score of 9.3 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.2.5, 0.3.81); upgrading removes the vulnerable code path.

Affected versions

langchain-core (>= 1.0.0, < 1.2.5) langchain-core (< 0.3.81)

Security releases

langchain-core → 1.2.5 (pip) langchain-core → 0.3.81 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

langchain-core to 1.2.5 or later; langchain-core to 0.3.81 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2025-68664? CVE-2025-68664 is a critical-severity insecure deserialization vulnerability in langchain-core (pip), affecting versions >= 1.0.0, < 1.2.5. It is fixed in 1.2.5, 0.3.81. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
  2. How severe is CVE-2025-68664? CVE-2025-68664 has a CVSS score of 9.3 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of langchain-core are affected by CVE-2025-68664? langchain-core (pip) versions >= 1.0.0, < 1.2.5 is affected.
  4. Is there a fix for CVE-2025-68664? Yes. CVE-2025-68664 is fixed in 1.2.5, 0.3.81. Upgrade to this version or later.
  5. Is CVE-2025-68664 exploitable, and should I be worried? Whether CVE-2025-68664 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2025-68664 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2025-68664?
    • Upgrade langchain-core to 1.2.5 or later
    • Upgrade langchain-core to 0.3.81 or later

Other vulnerabilities in langchain-core

CVE-2026-44843CVE-2026-34070CVE-2026-26013CVE-2025-68664CVE-2025-65106

Stop the waste.
Protect your environment with Kodem.