CVE-2025-68664
HIGH WAF: Medium
CVSS 8.2
Published: 2025-12-23
CWE-502
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| langchain | langchain_core | up to 0.3.81 |
| langchain | langchain_core | 1.0.0 - 1.2.5 |
References
- github.com (Patch)
- github.com (Patch)
- github.com (Issue Tracking, Patch)
- github.com (Issue Tracking, Patch)
- github.com (Release Notes)
- github.com (Release Notes)
- github.com (Exploit, Vendor Advisory)