VDB

CVE-2025-68665

CVE-2025-68665 PUBLISHED CVSS 8.6 HIGH

Reported by GitHub_M · Published December 23, 2025

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3

Risk Scores

CVSS 3.1
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected Products

VendorProductVersions
langchain-ailangchainjs@langchain/core >= 1.0.0, < 1.1.8, @langchain/core < 0.3.80, langchain >= 1.0.0, < 1.2.3
langchain-ailangchainjs@langchain/core < 0.3.80, @langchain/core < 0.3.80, langchain >= 1.0.0, < 1.2.3
chainguardkibana-8.170, 0, 0
chainguardlangfuse-20, 0, 0
npmlangchain0, 1.0.0, 0
chainguardkibana-9.20, 0, 0
chainguardlibrechat0, 0, 0
chainguardkibana-9.10, 0, 0
chainguardkibana-8.190, 0, 0
chainguardkibana-9.00, 0, 0
chainguardkibana-8.180, 0, 0
chainguardlangfuse-fips-20, 0, 0
langchaincore0, 1.0.0, 0

Exploit Intelligence

…and 7 more exploits

Timeline

  • Dec 23, 2025 CVE Published
  • Dec 24, 2025 EPSS Score
  • Dec 24, 2025 CVE Updated
  • Dec 28, 2025 EPSS Score
  • Dec 31, 2025 EPSS Score
  • Jan 4, 2026 EPSS Score
  • Jan 8, 2026 EPSS Score
  • Jan 11, 2026 EPSS Score
  • Jan 15, 2026 EPSS Score
  • Jan 19, 2026 EPSS Score
  • Jan 23, 2026 EPSS Score
  • Jan 26, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›