HIGH🇬🇧 English

CVE-2025-68665

CVSS 8.6v3.1pub. 2025-12-23upd. 2026-01-13

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
  • Langchain Langchain\/core

    APP
    Langchain
    < 0.3.801.0.0 – 1.1.8 (bez)
  • Langchain Langchain.js

    APP
    Langchain
    < 0.3.371.0.0 – 1.2.3 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Deserialization
CWE
Referencje

Powiązane podatności

CVE-2024-7774CRITICAL9.1PL ✓ten sam produkt

Path traversal w metodzie getFullPath biblioteki LangChain.js

CVE-2025-68664CRITICAL9.3PL ✓ten sam vendor

Podatność deserialization injection w funkcjach dumps/dumpd LangChain Core

CVE-2025-2828CRITICAL10.0PL ✓ten sam vendor

SSRF w LangChain RequestsToolkit — dostęp do sieci wewnętrznej i metadanych chmury

CVE-2024-7042CRITICAL9.8PL ✓ten sam vendor

SQL injection przez prompt injection w LangChain GraphCypherQAChain

CVE-2024-8309CRITICAL9.8PL ✓ten sam vendor

SQL injection przez prompt injection w LangChain GraphCypherQAChain

CVE-2025-68665 — HIGH 8.6 | CVEbaza.pl