CVE-2025-68665 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-68665 PUBLISHED CVSS 8.6 HIGH

Reported by GitHub_M · Published December 23, 2025

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3

Risk Scores

CVSS v3.1

8.6

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
langchain-ai	langchainjs	@langchain/core >= 1.0.0, < 1.1.8, @langchain/core < 0.3.80, langchain >= 1.0.0, < 1.2.3
langchain-ai	langchainjs	langchain < 0.3.37, langchain >= 1.0.0, < 1.2.3, langchain < 0.3.37
chainguard	kibana-8.17	0
chainguard	langfuse-2	0
npm	langchain	0, 1.0.0, 0
chainguard	kibana-9.2	0
chainguard	librechat	0
chainguard	kibana-9.1	0
chainguard	kibana-8.19	0
chainguard	kibana-9.0	0
chainguard	kibana-8.18	0
chainguard	langfuse-fips-2	0
langchain	core	1.0.0, 1.0.0, 0

Timeline

Dec 23, 2025 CVE Published
Dec 24, 2025 EPSS Score
Dec 27, 2025 EPSS Score
Dec 30, 2025 EPSS Score
Jan 2, 2026 EPSS Score
Jan 6, 2026 EPSS Score
Jan 9, 2026 EPSS Score
Jan 12, 2026 EPSS Score
Jan 15, 2026 EPSS Score
Jan 18, 2026 EPSS Score
Jan 21, 2026 EPSS Score
Jan 24, 2026 EPSS Score

References

https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6 x_refsource_CONFIRM
https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62 x_refsource_MISC
https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8 x_refsource_MISC
https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3 x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2025-68665 advisory
https://github.com/advisories/GHSA-r399-636x-v7f6 advisory
https://github.com/langchain-ai/langchainjs url

Open in Interactive Console →