4165 matches found
CVE-2025-15117
A weakness has been identified in Dromara Sa-Token up to 1.44.0. This affects the function ObjectInputStream.readObject of the file SaJdkSerializer.java. Executing manipulation can lead to deserialization. The attack may be launched remotely. This attack is characterized by high complexity. It is...
Exploit for CVE-2025-68664
--- 📑 Table of Contents - 🎯 Executive Summary-executive...
Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection
A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model LLM responses through prompt injection. LangChain Core i.e., langchain-core is a core Python package that's part of the LangChain...
CVE-2025-68664
A flaw was found in LangChain, a framework for building agents and LLM-powered applications. A remote attacker can exploit a serialization injection vulnerability in LangChain's dumps and dumpd functions. This occurs because the functions do not properly escape dictionaries containing the interna...
CVE-2025-68665
A flaw was found in LangChain. A remote attacker could exploit a serialization injection vulnerability in the toJSON method. This occurs because the method fails to properly escape objects containing 'lc' keys during serialization of free-form data. When user-controlled data includes this key...
CVE-2025-68665
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...
CVE-2025-68664
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries...
CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...
CVE-2025-68665
CVE-2025-68665 (LangChain JS) has a serialization-injection vulnerability in LangChain JS toJSON() and JSON.stringify() paths that fails to escape objects with the internal 'lc' key, causing user-controlled data to be mistaken for LangChain objects during deserialization. Affected: LangChain JS b...
CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...
CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...
CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries...
CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries...
CVE-2025-68664
CVE-2025-68664 (LangGrinch) is a serialization-injection vulnerability in the LangChain Core Python package. Affected versions prior to 0.3.81 and 1.2.5 fail to escape dictionaries containing the internal lc marker during dumps/dumpd, causing user-controlled data to be treated as legitimate LangC...
CVE-2025-68664 LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries...
EUVD-2025-204846
LangChain serialization injection vulnerability enables secret extraction...
LangChain serialization injection vulnerability enables secret extraction
Context A serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using JSON.stringify. The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark...
GHSA-R399-636X-V7F6 LangChain serialization injection vulnerability enables secret extraction
Context A serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using JSON.stringify. The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark...
GHSA-C67J-W6G6-Q2CM LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs
Summary A serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data...
EUVD-2025-204849
LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs...