December 26, 2025 // Vulnerability | #CVE-2025-68664 #Serialization Injection #LangChain Core

Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection - The Hacker News

A critical serialization injection vulnerability, CVE-2025-68664, has been discovered in LangChain Core, affecting its `dumps()` and `dumpd()` functions by failing to escape user-controlled dictionaries containing "lc" keys. This flaw allows attackers to instantiate arbitrary objects, potentially leading to secret extraction, prompt injection in LLM responses, and even arbitrary code execution through deserialization.

Source: Original Report ↗
← Back to Feed