{"data":{"id":"ca3f2521-633f-4d72-b991-aff3fe819f97","title":"CVE-2025-68664: LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a seriali","summary":"LangChain, a framework for building AI agents and applications powered by large language models, had a serialization injection vulnerability (a flaw in how it converts data to stored formats) in its dumps() and dumpd() functions before versions 0.3.81 and 1.2.5. The functions failed to properly escape dictionaries containing 'lc' keys, which LangChain uses internally to mark serialized objects, allowing attackers to trick the system into treating user-supplied data as legitimate LangChain objects during deserialization (converting stored data back into usable form).","solution":"Update to LangChain version 0.3.81 or version 1.2.5, where this issue has been patched.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-68664","publishedAt":"2025-12-24T04:15:44.933Z","cveId":"CVE-2025-68664","cweIds":["CWE-502"],"cvssScore":"9.3","cvssSeverity":"critical","severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00039,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}