Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-68665
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-23 Dec, 2025 | 23:15
Updated At-13 Jan, 2026 | 16:17

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.6HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 8.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CPE Matches
langchain
langchain
>>langchain.js>>Versions before 0.3.37(exclusive)
cpe:2.3:a:langchain:langchain.js:*:*:*:*:*:*:*:*
langchain
langchain
>>langchain.js>>Versions from 1.0.0(inclusive) to 1.2.3(exclusive)
cpe:2.3:a:langchain:langchain.js:*:*:*:*:*:*:*:*
langchain
langchain
>>langchain\/core>>Versions before 0.3.80(exclusive)
cpe:2.3:a:langchain:langchain\/core:*:*:*:*:*:node.js:*:*
langchain
langchain
>>langchain\/core>>Versions from 1.0.0(inclusive) to 1.1.8(exclusive)
cpe:2.3:a:langchain:langchain\/core:*:*:*:*:*:node.js:*:*
Weaknesses
CWE IDTypeSource
CWE-502Secondarysecurity-advisories@github.com
CWE ID: CWE-502
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62security-advisories@github.com
Patch
https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8security-advisories@github.com
Release Notes
https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3security-advisories@github.com
Release Notes
https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6security-advisories@github.com
Vendor Advisory
https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6134c704f-9b21-4f2e-91b3-4a467353bcc0
Vendor Advisory
Hyperlink: https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3
Source: security-advisories@github.com
Resource:
Release Notes
Hyperlink: https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Vendor Advisory
Change History
0Changes found
Details not found