CVE-2025-65106: LangChain Template Injection Vulnerability

CVE-2025-65106 Overview

CVE-2025-65106 is a template injection vulnerability in LangChain, a widely used framework for building agents and Large Language Model (LLM) powered applications. The flaw resides in the prompt template system and allows attackers to access Python object internals through template syntax. Applications that accept untrusted template strings, not just template variables, in ChatPromptTemplate and related prompt template classes are exposed. The issue affects versions 0.3.79 and prior, plus versions 1.0.0 through 1.0.6. Maintainers have addressed the flaw in versions 0.3.80 and 1.0.7. The weakness is classified as [CWE-1336] (Improper Neutralization of Special Elements Used in a Template Engine).

Critical Impact
Attackers supplying untrusted template strings can traverse arbitrary Python object attributes, leading to information disclosure and potential code execution paths within the host application.

Affected Products

LangChain langchain-core versions 0.3.79 and earlier (0.3.x branch)
LangChain langchain-core versions 1.0.0 through 1.0.6
Applications using ChatPromptTemplate and related prompt template classes with untrusted template strings

Discovery Timeline

2025-11-21 - CVE-2025-65106 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-65106

Vulnerability Analysis

The vulnerability resides in libs/core/langchain_core/utils/mustache.py, the module that resolves variable references inside LangChain prompt templates. When resolving a dotted path such as {{ user.profile.name }}, the resolver walked into the current scope by first attempting dictionary subscripting, then falling back to getattr, and finally to list indexing. The fallback to getattr against any Python object meant template strings could traverse into arbitrary object attributes. An attacker who controls the template string, rather than only the variable values passed into it, can pivot through Python internals such as __class__, __mro__, __globals__, and __builtins__ to reach sensitive data or callable references inside the application process.

Root Cause

The root cause is unrestricted attribute traversal in the mustache-style scope resolver. The resolver treated any object as a valid traversal target and used getattr without an allowlist. This violates the template engine principle that user-controlled templates must not expose host language internals [CWE-1336].

Attack Vector

Exploitation requires the application to accept attacker-controlled template strings and render them through a LangChain prompt template. This is common in agent frameworks that allow tools, plugins, or end users to define prompt scaffolding dynamically. The attack is network-reachable, requires no authentication, and no user interaction. Successful exploitation primarily impacts confidentiality through disclosure of in-process Python objects and may extend to further abuse depending on what objects are reachable from the template scope.

python

# Security patch in libs/core/langchain_core/utils/mustache.py
# Before: getattr fallback allowed traversal into arbitrary Python objects.
# After: only dict, list, and tuple traversal is permitted.

if resolved_scope in (0, False):
    return resolved_scope
# Move into the scope
if isinstance(resolved_scope, dict):
    try:
        resolved_scope = resolved_scope[child]
    except (KeyError, TypeError):
        # Key not found - will be caught by outer try-except
        msg = f"Key {child!r} not found in dict"
        raise KeyError(msg) from None
elif isinstance(resolved_scope, (list, tuple)):
    try:
        resolved_scope = resolved_scope[int(child)]
    except (ValueError, IndexError, TypeError):
        # Invalid index - will be caught by outer try-except
        msg = f"Invalid index {child!r} for list/tuple"
        raise IndexError(msg) from None
else:
    # Reject everything else for security
    # This prevents traversing into arbitrary Python objects
    msg = (
        f"Cannot traverse into {type(resolved_scope).__name__}. "
    )
# Source: https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a

Detection Methods for CVE-2025-65106

Indicators of Compromise

Prompt template strings containing dunder attribute references such as __class__, __mro__, __subclasses__, __globals__, or __builtins__.
Unexpected stack traces from langchain_core.utils.mustache referencing attribute lookups on non-dict objects.
Application logs showing rendered prompts that contain serialized Python type names or module paths.

Detection Strategies

Inventory all call sites where template strings, not just template variables, originate from untrusted sources such as users, plugins, tool descriptions, or retrieval results.
Statically scan repositories for ChatPromptTemplate.from_template, PromptTemplate.from_template, and related constructors that receive non-literal arguments.
Inspect dependency manifests (requirements.txt, pyproject.toml, poetry.lock) for langchain-core versions at or below 0.3.79 and between 1.0.0 and 1.0.6.

Monitoring Recommendations

Log raw template strings before rendering and alert on the presence of mustache or f-string syntax pointing to dunder attributes.
Monitor outbound LLM payloads for leaked internal class names, file paths, or environment variable values that suggest object traversal.
Track exceptions raised from mustache.py to identify reconnaissance attempts that probe attribute paths.

How to Mitigate CVE-2025-65106

Immediate Actions Required

Upgrade langchain-core to version 0.3.80 for the 0.3.x branch or 1.0.7 for the 1.0.x branch.
Audit application code to ensure template strings are never sourced from untrusted input; pass user content only as template variables.
Review agent tools, plugins, and retrieval-augmented generation pipelines for any path that concatenates untrusted data into a prompt template definition.

Patch Information

LangChain maintainers shipped the fix in commits c4b6ba2 and fa7789d. The fix removes the getattr fallback in the scope resolver and restricts traversal to dict, list, and tuple types. Details are published in GitHub Security Advisory GHSA-6qv9-48xg-fc7f.

Workarounds

Treat all template strings as code; load them only from trusted, version-controlled sources.
Validate and sanitize any dynamic template construction to reject mustache or f-string expressions containing . traversal of dunder attributes.
Run LangChain workloads under least-privilege Python environments with sensitive secrets isolated from the interpreter that renders prompts.

bash

# Upgrade to a patched release
pip install --upgrade "langchain-core>=1.0.7"

# Or, for the 0.3.x branch
pip install --upgrade "langchain-core>=0.3.80,<1.0.0"

# Verify installed version
python -c "import langchain_core; print(langchain_core.__version__)"

CVE-2025-65106 Overview

Critical Impact
Attackers supplying untrusted template strings can traverse arbitrary Python object attributes, leading to information disclosure and potential code execution paths within the host application.

Affected Products

LangChain langchain-core versions 0.3.79 and earlier (0.3.x branch)
LangChain langchain-core versions 1.0.0 through 1.0.6
Applications using ChatPromptTemplate and related prompt template classes with untrusted template strings

Discovery Timeline

2025-11-21 - CVE-2025-65106 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-65106

Vulnerability Analysis

Root Cause

Attack Vector

python

# Security patch in libs/core/langchain_core/utils/mustache.py
# Before: getattr fallback allowed traversal into arbitrary Python objects.
# After: only dict, list, and tuple traversal is permitted.

if resolved_scope in (0, False):
    return resolved_scope
# Move into the scope
if isinstance(resolved_scope, dict):
    try:
        resolved_scope = resolved_scope[child]
    except (KeyError, TypeError):
        # Key not found - will be caught by outer try-except
        msg = f"Key {child!r} not found in dict"
        raise KeyError(msg) from None
elif isinstance(resolved_scope, (list, tuple)):
    try:
        resolved_scope = resolved_scope[int(child)]
    except (ValueError, IndexError, TypeError):
        # Invalid index - will be caught by outer try-except
        msg = f"Invalid index {child!r} for list/tuple"
        raise IndexError(msg) from None
else:
    # Reject everything else for security
    # This prevents traversing into arbitrary Python objects
    msg = (
        f"Cannot traverse into {type(resolved_scope).__name__}. "
    )
# Source: https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a

Detection Methods for CVE-2025-65106

Indicators of Compromise

Prompt template strings containing dunder attribute references such as __class__, __mro__, __subclasses__, __globals__, or __builtins__.
Unexpected stack traces from langchain_core.utils.mustache referencing attribute lookups on non-dict objects.
Application logs showing rendered prompts that contain serialized Python type names or module paths.

Detection Strategies

Inventory all call sites where template strings, not just template variables, originate from untrusted sources such as users, plugins, tool descriptions, or retrieval results.
Statically scan repositories for ChatPromptTemplate.from_template, PromptTemplate.from_template, and related constructors that receive non-literal arguments.
Inspect dependency manifests (requirements.txt, pyproject.toml, poetry.lock) for langchain-core versions at or below 0.3.79 and between 1.0.0 and 1.0.6.

Monitoring Recommendations

Log raw template strings before rendering and alert on the presence of mustache or f-string syntax pointing to dunder attributes.
Monitor outbound LLM payloads for leaked internal class names, file paths, or environment variable values that suggest object traversal.
Track exceptions raised from mustache.py to identify reconnaissance attempts that probe attribute paths.

How to Mitigate CVE-2025-65106

Immediate Actions Required

Upgrade langchain-core to version 0.3.80 for the 0.3.x branch or 1.0.7 for the 1.0.x branch.
Audit application code to ensure template strings are never sourced from untrusted input; pass user content only as template variables.
Review agent tools, plugins, and retrieval-augmented generation pipelines for any path that concatenates untrusted data into a prompt template definition.

Patch Information

Workarounds

Treat all template strings as code; load them only from trusted, version-controlled sources.
Validate and sanitize any dynamic template construction to reject mustache or f-string expressions containing . traversal of dunder attributes.
Run LangChain workloads under least-privilege Python environments with sensitive secrets isolated from the interpreter that renders prompts.

bash

# Upgrade to a patched release
pip install --upgrade "langchain-core>=1.0.7"

# Or, for the 0.3.x branch
pip install --upgrade "langchain-core>=0.3.80,<1.0.0"

# Verify installed version
python -c "import langchain_core; print(langchain_core.__version__)"

CVE-2025-65106: LangChain Template Injection Vulnerability

CVE-2025-65106 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-65106

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-65106

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-65106

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform

CVE-2025-65106: LangChain Template Injection Vulnerability

CVE-2025-65106 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-65106

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-65106

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-65106

Immediate Actions Required

Patch Information

Workarounds

Experience the Most Advanced Cybersecurity Platform