The LangGrinch Stole Your Keys: Critical LangChain Flaw Enables Data Theft
A critical vulnerability has been discovered in the LangChain ecosystem that allows attackers to steal sensitive data and even influence the responses of large language models through prompt injection. The flaw affects LangChain Core (langchain-core), the foundational Python library underpinning LLM-based applications and responsible for shared interfaces and object serialization.
The vulnerability has been assigned CVE-2025-68664 and carries a CVSS score of 9.3. It was reported on December 4, 2025, by researcher Yarden Porat and is informally referred to within the project as “LangGrinch.”
At its core, the issue stems from a serialization flaw. The dumps() and dumpd() functions in LangChain mishandle dictionaries containing the key lc, which the framework uses internally to tag its own serialized objects. When such structures appear in user-controlled data, the library may, upon deserialization, treat them not as ordinary input but as legitimate internal LangChain objects.
According to Porat, this behavior opens the door to a broad range of attacks. If an attacker can cause data containing the lc key to be serialized and then deserialized during LangChain’s execution, the system may instantiate arbitrary unsafe objects. Depending on configuration, this can result in the leakage of secrets from environment variables (when secrets_from_env is enabled), the creation of class instances from trusted namespaces such as langchain_core, langchain, or langchain_community, and in certain scenarios even arbitrary code execution via Jinja2 templates.
It is particularly concerning that the flaw allows LangChain structures to be injected through fields commonly populated from model outputs, such as metadata, additional_kwargs, or response_metadata. This means that an LLM response shaped by prompt injection can itself become a fully fledged attack vector once it undergoes serialization and deserialization.
LangChain’s developers have released updates that significantly harden the library’s default behavior. The load() and loads() functions now include an allowed_objects parameter, enabling explicit whitelisting of classes permitted for serialization and restoration. In addition, Jinja2 templates are now disabled by default, and automatic loading of secrets from the environment (secrets_from_env) has been turned off.
The vulnerability affects the following versions of langchain-core:
- Versions 1.0.0–1.2.4 (fixed in 1.2.5);
- Versions earlier than 0.3.81 (fixed in 0.3.81).
Beyond the Python implementation, researchers also identified a similar issue in LangChain.js. There, the vulnerability likewise arises from improper handling of objects containing the lc key and enables both secret extraction and prompt injection. This issue has been assigned CVE-2025-68665 with a CVSS score of 8.6 and affects:
- @langchain/core versions 1.0.0–1.1.7 and earlier than 0.3.80;
- langchain versions 1.0.0–1.2.2 and earlier than 0.3.37.
Patched releases have been issued in all cases.
Given the severity of the issue, LangChain users are strongly advised to upgrade to secure versions as soon as possible. As Porat notes, the most common attack path exploits LLM response fields that later participate in streaming serialization. This serves as a stark reminder that classical vulnerabilities readily manifest in AI-driven systems—and that model output remains untrusted input, no matter how innocuous it may appear.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
