8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-68665

CVE-2025-68665: LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-68665

CVE-2025-68665:

8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@langchain/core	npm	>= 1.0.0, < 1.1.8	1.1.8
@langchain/core	npm	< 0.3.80	0.3.80
langchain	npm	>= 1.0.0, < 1.2.3	1.2.3
langchain	npm	< 0.3.37	0.3.37

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic serialization injection issue stemming from two core functions: Serializable.toJSON for serialization and load for deserialization. The root cause was a failure to properly handle untrusted user input during the serialization process, combined with insecure defaults during deserialization.

Serializable.toJSON: This function did not escape user-provided data that contained a special "lc" key. LangChain uses this key internally to identify its own serialized objects. By not escaping this key in user data (e.g., in additional_kwargs from an LLM response), the serialization output would contain malicious, user-controlled objects that masqueraded as legitimate LangChain constructs.
load: This function would deserialize the data and, upon encountering a serialized "secret" object, would attempt to resolve it. Critically, its default behavior was to fall back to reading from environment variables (process.env) if the secret was not found in the explicitly provided secretsMap. This allowed an attacker-controlled payload from toJSON to instruct load to read and return the value of any environment variable on the server.

The patch addresses both issues. It introduces an escaping mechanism in Serializable.toJSON to ensure user data is never misinterpreted as a LangChain object. It also changes the default behavior of load to be secure by default, requiring developers to explicitly opt-in to loading secrets from the environment (secretsFromEnv: true). This combination of fixes effectively closes the secret extraction vector.

Vulnerable functions

Serializable.toJSON

libs/langchain-core/src/load/serializable.ts

The `Serializable.toJSON` function was vulnerable to a serialization injection attack. It failed to escape user-controlled data in fields like `additional_kwargs` or `metadata`. If this data contained a specially crafted object with an `"lc"` key, it would be serialized as a trusted LangChain object. When this serialized data was later deserialized, the malicious object would be instantiated, leading to potential secret extraction from environment variables or arbitrary class instantiation.

load

libs/langchain-core/src/load/index.ts

The `load` function, which is responsible for deserializing data into LangChain objects, had an insecure default configuration. It would attempt to load any referenced secrets from environment variables if they were not provided in a `secretsMap`. When combined with the `Serializable.toJSON` vulnerability, an attacker could craft a serialized object that, when deserialized by `load`, would read and expose arbitrary environment variables. The patch mitigates this by changing the default behavior to not load secrets from the environment.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-68665: LangChain serialization injection vulnerability enables secret extraction

CVE-2025-68665:

8.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-68665: LangChain serialization injection vulnerability enables secret extraction

Basic Information

Basic Information

8.6

8.6

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI