CVE-2025-68665 Overview
CVE-2025-68665 is a critical insecure deserialization vulnerability affecting LangChain JS, a popular framework for building LLM-powered applications. The vulnerability exists in LangChain JS's toJSON() method and affects subsequent operations when stringifying objects using JSON.stringify(). The method fails to properly escape objects containing 'lc' keys when serializing free-form data in kwargs, allowing attackers to inject malicious serialized objects that are treated as legitimate LangChain objects during deserialization.
Critical Impact
Attackers can inject malicious serialized objects through user-controlled data containing the internal 'lc' key structure. During deserialization, these injected objects are processed as legitimate LangChain objects rather than plain user data, potentially leading to unauthorized code execution, data exfiltration, or complete system compromise.
Affected Products
- LangChain langchain.js (versions prior to 0.3.37 and 1.2.3)
- LangChain @langchain/core (versions prior to 0.3.80 and 1.1.8)
Discovery Timeline
- 2025-12-23 - CVE CVE-2025-68665 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-68665
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The flaw resides in the serialization mechanism of LangChain JS, specifically within the toJSON() method. LangChain uses an internal 'lc' key as a marker to identify serialized LangChain objects. When user-controlled data containing this specific key structure is processed through the serialization pipeline, the application fails to distinguish between legitimate internal objects and user-supplied data.
The impact of this vulnerability is significant as it affects both confidentiality and integrity of systems running vulnerable versions. Since this vulnerability can be exploited remotely without authentication or user interaction, applications that process untrusted input through LangChain's serialization methods are at considerable risk. Successful exploitation could allow attackers to execute arbitrary code within the context of the LangChain application, manipulate application state, or extract sensitive information processed by the LLM framework.
Root Cause
The root cause of CVE-2025-68665 lies in insufficient input validation and sanitization within the toJSON() serialization method. The method did not implement proper escaping mechanisms for objects containing the reserved 'lc' key when processing free-form data in the kwargs parameter. This oversight allows attackers to craft payloads that mimic the internal serialization format, effectively bypassing the trust boundary between user data and internal objects.
Attack Vector
An attacker can exploit this vulnerability by supplying specially crafted input data containing the 'lc' key structure to any LangChain JS application that serializes user-controlled data. When this data passes through toJSON() or JSON.stringify(), it is serialized without proper escaping. Subsequently, when the serialized data is deserialized, the malicious payload is interpreted as a legitimate LangChain object, enabling object injection attacks.
The patch introduces an escapeIfNeeded validation function to properly handle and escape potentially dangerous key structures:
import { type SerializedFields, keyToJson, mapKeys } from "./map_keys.js";
+import { escapeIfNeeded } from "./validation.js";
export interface BaseSerialized<T extends string> {
lc: number;
Source: GitHub Commit
Detection Methods for CVE-2025-68665
Indicators of Compromise
- Unexpected or anomalous objects containing the 'lc' key structure in application logs or data stores
- Unusual deserialization errors or exceptions in LangChain-based applications
- Evidence of object injection attempts in input validation or WAF logs
- Suspicious application behavior following processing of user-controlled JSON data
Detection Strategies
- Implement application-level logging to monitor for unexpected 'lc' key patterns in user input
- Deploy Web Application Firewalls (WAF) with rules to detect serialization injection patterns
- Use Static Application Security Testing (SAST) tools to identify vulnerable LangChain versions in your codebase
- Enable runtime application self-protection (RASP) to detect deserialization attacks
Monitoring Recommendations
- Monitor application logs for deserialization exceptions and anomalous object instantiation
- Implement alerting for unusual patterns in JSON payloads containing LangChain-specific key structures
- Review audit logs for applications processing user-controlled data through LangChain serialization methods
- Track package versions across your environment to identify systems running vulnerable LangChain versions
How to Mitigate CVE-2025-68665
Immediate Actions Required
- Upgrade @langchain/core to version 0.3.80 or 1.1.8 or later immediately
- Upgrade langchain to version 0.3.37 or 1.2.3 or later immediately
- Audit applications to identify all instances where user-controlled data is processed through LangChain serialization
- Implement input validation to sanitize or reject data containing suspicious 'lc' key structures until patches can be applied
Patch Information
LangChain has released security patches that address this vulnerability by introducing proper escaping for potentially dangerous key structures. The patches are available in the following versions:
- @langchain/core: Versions 0.3.80 and 1.1.8 contain the fix
- langchain: Versions 0.3.37 and 1.2.3 contain the fix
For detailed information, refer to the GitHub Security Advisory GHSA-r399-636x-v7f6. Release notes are available at the v1.1.8 release page and v1.2.3 release page.
Workarounds
- Implement strict input validation to filter out or escape objects containing the 'lc' key before they reach LangChain serialization methods
- Deploy a reverse proxy or WAF to inspect and sanitize incoming JSON payloads for malicious serialization patterns
- Isolate LangChain-based applications in sandboxed environments to limit the impact of potential exploitation
- If immediate patching is not possible, consider temporarily restricting user input to known-safe schemas
# Update @langchain/core to patched version
npm update @langchain/core@1.1.8
# Update langchain to patched version
npm update langchain@1.2.3
# Verify installed versions
npm list @langchain/core langchain
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
