CVE-2025-9556 Overview
CVE-2025-9556 is a Server-Side Template Injection (SSTI) vulnerability affecting Langchaingo, a Go implementation of the LangChain framework for building applications powered by large language models. The vulnerability exists in how Langchaingo processes jinja2 syntax when parsing prompts through the gonja library version 1.5.3. The gonja library supports include and extends syntax directives that can be abused to read arbitrary files from the server, enabling attackers to access sensitive system files such as /etc/passwd.
Critical Impact
Unauthenticated attackers can exploit this SSTI vulnerability to read arbitrary files from the server, potentially exposing sensitive configuration data, credentials, and system information without requiring any user interaction.
Affected Products
- Langchaingo (versions using gonja v1.5.3)
- Applications built with Langchaingo that process user-controlled prompts
- Systems running Langchaingo-based LLM applications with jinja2 template parsing enabled
Discovery Timeline
- September 12, 2025 - CVE-2025-9556 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-9556
Vulnerability Analysis
This vulnerability represents a classic Server-Side Template Injection (SSTI) attack vector within the AI/ML application development ecosystem. Langchaingo utilizes jinja2-style templating to provide flexible prompt engineering capabilities, leveraging the gonja library to parse these templates. The core issue lies in gonja's support for the include and extends template directives, which are designed to load and incorporate external template files.
When user-controlled input is processed through the template engine without proper sanitization, an attacker can craft malicious template statements that abuse these file inclusion directives. The template engine interprets these statements as legitimate template operations, executing them with the permissions of the application process. This allows an attacker to traverse the filesystem and read sensitive files, effectively bypassing application-level access controls.
The impact extends beyond simple file disclosure—attackers may be able to enumerate system users, discover application configurations, retrieve database credentials, or gather information for further attacks. In containerized or cloud environments, this could expose service account credentials, API keys, or other secrets mounted into the filesystem.
Root Cause
The root cause of CVE-2025-9556 stems from insufficient input validation and template sandboxing in the gonja library's implementation of jinja2 syntax parsing. The gonja library (v1.5.3) exposes the include and extends template tags without restricting their ability to access arbitrary filesystem paths. When Langchaingo passes user-controlled prompt content to gonja for template processing, these dangerous template constructs remain available and executable.
Secure template engines typically implement sandboxing mechanisms that restrict which template tags are available or limit filesystem access to a designated template directory. The absence of such restrictions in this implementation creates the vulnerability.
Attack Vector
The attack is network-exploitable and requires no authentication or user interaction. An attacker can submit a specially crafted prompt containing malicious template directives to any application endpoint that processes user input through Langchaingo's template parsing functionality. The attack flow involves:
- Identifying an endpoint that accepts user-controlled prompt input
- Injecting template syntax containing include or extends directives
- Specifying a target file path within the template directive
- The gonja template engine processes the malicious input and reads the specified file
- File contents are incorporated into the template output and returned to the attacker
For example, an attacker could inject a template statement targeting /etc/passwd to enumerate system users, or target configuration files containing database credentials, API keys, or other sensitive application secrets.
Detection Methods for CVE-2025-9556
Indicators of Compromise
- Unexpected template syntax patterns in application logs, particularly containing include or extends keywords with filesystem paths
- Access attempts to sensitive files such as /etc/passwd, /etc/shadow, .env, or application configuration files from the application process
- Unusual patterns in LLM prompt inputs containing jinja2 template delimiters ({% %} or {{ }}) combined with filesystem paths
- Application errors related to file access or template parsing failures for non-existent paths
Detection Strategies
- Implement input validation logging to capture and alert on template syntax patterns in user-submitted prompts
- Deploy Web Application Firewall (WAF) rules to detect and block SSTI payload patterns in request bodies
- Monitor application logs for gonja template engine errors or unexpected file access operations
- Use runtime application self-protection (RASP) solutions to detect template injection attempts
Monitoring Recommendations
- Enable detailed logging for all prompt processing operations in Langchaingo applications
- Configure file integrity monitoring (FIM) alerts for access to sensitive system files by application processes
- Implement anomaly detection for unusual patterns in user-submitted prompt content
- Set up alerts for template parsing errors that may indicate exploitation attempts
How to Mitigate CVE-2025-9556
Immediate Actions Required
- Audit all Langchaingo deployments to identify applications processing user-controlled prompts through the template engine
- Implement strict input validation to sanitize or reject prompts containing template syntax before processing
- Apply the principle of least privilege to application runtime accounts, limiting filesystem access
- Consider temporarily disabling jinja2 template parsing if not critical to application functionality
Patch Information
The Langchaingo maintainers have addressed this vulnerability. Refer to the GitHub Pull Request #1348 for the specific fix implementation. Review the GitHub Security Advisory GHSA-mgcj-g55g-rf6h for additional details on affected versions and upgrade instructions. The CERT Vulnerability Report VU#949137 provides supplementary coordination and mitigation guidance.
Update Langchaingo to the latest patched version immediately. Organizations should prioritize this update for any production systems processing external or untrusted input.
Workarounds
- Implement input sanitization to strip or escape template syntax ({% %}, {{ }}) from user-controlled prompts before processing
- Configure application-level restrictions to block prompts containing include, extends, or filesystem path patterns
- Deploy network-level controls using a WAF with SSTI detection rules to filter malicious requests
- Run Langchaingo applications in sandboxed environments with restricted filesystem access using containers or chroot jails
# Example: Input validation wrapper to reject suspicious prompts
# Add validation before passing prompts to Langchaingo template processing
# Reject prompts containing include/extends patterns
grep -E '(\{%.*include|\{%.*extends|/etc/|\.\./)' /dev/stdin && exit 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
