ByteOS Network

langchain\/core

Source -

NVD

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

1Vulnerabilities found

CVE-2025-68665

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-8.6||HIGH

EPSS-0.04% / 13.81%

7 Day CHG-0.08%

Published-23 Dec, 2025 | 22:56

Updated-13 Jan, 2026 | 16:17

LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3

Vendor-langchain langchain-ai

Product-langchain\/core langchain.js langchainjs

CWE ID-CWE-502

Deserialization of Untrusted Data