Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-68664
Good to know:
Date: December 23, 2025
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Severity Score
Related Resources (10)
Severity Score
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502Top Fix
Upgrade Version
Upgrade to version langchain-core - 1.2.5;langchain-core - 0.3.81;langchain-core - 0.3.81;langchain-core - 1.2.5;https://github.com/langchain-ai/langchain.git - langchain-core==0.3.81;https://github.com/langchain-ai/langchain.git - langchain-core==1.2.5
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | CHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | LOW |
| Availability (A): | NONE |