Description

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3

INFO

Published Date :

2025-12-23T22:56:04.837Z

Last Modified :

2025-12-24T14:38:40.268Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-68665 vulnerability.

Vendors Products
Langchain
  • Langchain.js
  • Langchain\/core
Langchain-ai
  • Langchainjs
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-68665.

URL Resource
https://github.com/langchain-ai/langchainjs/commit/e5063f9c6e9989ea067dfdff39262b9e7b6aba62 cve-icon cve-icon cve-icon
https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcore%401.1.8 cve-icon cve-icon cve-icon
https://github.com/langchain-ai/langchainjs/releases/tag/langchain%401.2.3 cve-icon cve-icon cve-icon
https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-r399-636x-v7f6 cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-68665 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-68665 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact