Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-68664
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-23 Dec, 2025 | 22:47
Updated At-24 Dec, 2025 | 14:40
Rejected At-
▼CVE Numbering Authority (CNA)
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Affected Products
Vendor
langchain-ai
Product
langchain
Versions
Affected
  • >= 1.0.0, < 1.2.5
  • < 0.3.81
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502: Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: CWE-502: Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.19.3CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Version: 3.1
Base score: 9.3
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm
x_refsource_CONFIRM
https://github.com/langchain-ai/langchain/pull/34455
x_refsource_MISC
https://github.com/langchain-ai/langchain/pull/34458
x_refsource_MISC
https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8
x_refsource_MISC
https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6
x_refsource_MISC
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81
x_refsource_MISC
https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5
x_refsource_MISC
Hyperlink: https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/langchain-ai/langchain/pull/34455
Resource:
x_refsource_MISC
Hyperlink: https://github.com/langchain-ai/langchain/pull/34458
Resource:
x_refsource_MISC
Hyperlink: https://github.com/langchain-ai/langchain/commit/5ec0fa69de31bbe3d76e4cf9cd65a6accb8466c8
Resource:
x_refsource_MISC
Hyperlink: https://github.com/langchain-ai/langchain/commit/d9ec4c5cc78960abd37da79b0250f5642e6f0ce6
Resource:
x_refsource_MISC
Hyperlink: https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.81
Resource:
x_refsource_MISC
Hyperlink: https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D1.2.5
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm
exploit
Hyperlink: https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm
Resource:
exploit
Details not found