Critical LangGrinch Flaw in LangChain Core Exposes AI Agent Secrets and Enables Prompt Injection

Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection

A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection. LangChain Core (i.e., langchain-core) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building applications powered by LLMs. The vulnerability, tracked as CVE-2025-68664, carries a CVSS score of 9.3 out of 10.0. Security researcher Yarden Porat has been credited with reporting the vulnerability on December 4, 2025. It has been codenamed LangGrinch. "A serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions," the project maintainers said in an advisory. "The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries." "The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data." According to Cyata researcher Porat, the crux of the problem has to do with the two functions failing to escape user-controlled dictionaries containing "lc" keys. The "lc" marker represents LangChain objects in the framework's internal serialization format. "So once an attacker is able to make a LangChain orchestration loop serialize and later deserialize content including an 'lc' key, they would instantiate an unsafe arbitrary object, potentially triggering many attacker-friendly paths," Porat said. This could have various outcomes, including secret extraction from environment variables when deserialization is performed with "secrets_from_env=True" (previously set by default), instantiating classes within pre-approved trusted namespaces, such as langchain_core, langchain, and langchain_community, and potentially even leading to arbitrary code execution via Jinja2 templates. What's more, the escaping bug enables the injection of LangChain object structures through user-controlled fields like metadata, additional_kwargs, or response_metadata via prompt injection. The patch released by LangChain introduces new restrictive defaults in load() and loads() by means of an allowlist parameter "allowed_objects" that allows users to specify which classes can be serialized/deserialized. In addition, Jinja2 templates are blocked by default, and the "secrets_from_env" option is now set to "False" to disable automatic secret loading from the environment. The following versions of langchain-core are affected by CVE-2025-68664 - It's worth noting that there exists a similar serialization injection flaw in LangChain.js that also stems from not properly escaping objects with "lc" keys, thereby enabling secret extraction and prompt injection. This vulnerability has been assigned the CVE identifier CVE-2025-68665 (CVSS score: 8.6). It impacts the following npm packages - In light of the criticality of the vulnerability, users are advised to update to a patched version as soon as possible for optimal protection. "The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations," Porat said. "This is exactly the kind of 'AI meets classic security' intersection where organizations get caught off guard. LLM output is an untrusted input."

Critical 'LangGrinch' vulnerability in langchain-core puts AI agent secrets at risk - SiliconANGLE

Critical 'LangGrinch' vulnerability in langchain-core puts AI agent secrets at risk A new report out today from artificial intelligence security startup Cyata Security Ltd. has detailed a recently uncovered critical vulnerability on langchain-core, the foundational library behind LangChain-based agents used widely in artificial intelligence production environments. The vulnerability, tracked as CVE-2025-68664 and dubbed "LangGrinch" has a Common Vulnerability Scoring System score of 9.3. The vulnerability can allow attackers to exfiltrate sensitive secrets from affected systems and could potentially escalate to remote code execution under certain conditions. Langchain-core sits at the heart of the agentic AI ecosystem and acts as a core dependency for countless frameworks and applications. According to Cydata, public package download trackers show langchain-core at approximately 847 million total downloads, with tens of millions of downloads in the last 30 days. The broader LangChain package has approximately 98 million downloads per month, highlighting how deeply embedded the vulnerable component is across modern AI workflows. LangGrinch occurs due to a serialization and deserialization injection vulnerability in langchain-core's built-in helper functions. An attacker can exploit the vulnerability by steering an AI agent through prompt injection into generating crafted structured outputs that include LangChain's internal marker key. Because the marker key is not properly escaped during serialization, the data can later be deserialized and interpreted as a trusted LangChain object rather than untrusted user input. "What makes this finding interesting is that the vulnerability lives in the serialization path, not the deserialization path. In agent frameworks, structured data produced downstream of a prompt is often persisted, streamed and reconstructed later," explains Yarden Porat, security researcher at Cyata. "That creates a surprisingly large attack surface reachable from a single prompt." Once the vulnerability is triggered, it can result in full environment variable exfiltration via outbound HTTP requests. The exposure may include cloud provider credentials, database and RAG connection strings, vector database secrets and large language model application programming interface keys. Cyata's researchers were able to identify 12 distinct reachable exploit flows, highlighting how routine agent operations such as persisting, streaming and reconstructing structured data can unintentionally open an attack path. Notably, the vulnerability exists in langchain-core itself and does not depend on third-party tools, integrations, or connectors. Cyata emphasized that this makes the flaw particularly dangerous, as it lives in what the company described as the ecosystem's "plumbing layer," exercised continuously by many production systems. Patches are now available in langchain-core versions 1.2.5 and 0.3.81 and Cyata is urging organizations to update immediately. Before going public with the details, Cyata ethically disclosed the details to the LangChain Maintainers, whom Cyata commended for decisive remediation and security hardening steps beyond the immediate fix. "As agents move into production, the security question shifts from 'what code do we run' to 'what effective permissions does this system end up exercising'" said Shahar Tal, chief executive officer and co-founder at Cyata. "With agentic identities, you want tight defaults, clear boundaries and the ability to reduce blast radius when something goes wrong."