LangChain serialization injection vulnerability enables secret extraction in dumps/loads APIs

Summary A serialization injection vulnerability exists in LangChain's dumps and dumpd functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data...

BIT-NIFI-2025-66524 Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without...

PT-2025-52859

Name of the Vulnerable Software and Affected Versions: LangChain versions prior to 0.3.81 and 1.2.5 Description: A serialization injection vulnerability exists in LangChain's dumps and dumpd functions. These functions do not properly escape dictionaries containing 'lc' keys when serializing data...

LangChain 代码问题漏洞

LangChain is a LangChain open source framework for developing applications powered by the Large Language Model LLM. A code issue vulnerability exists in LangChain versions prior to 0.3.37 and prior to 1.2.3, which stems from serialization injection and could lead to the execution of arbitrary cod...

PT-2025-52862

Name of the Vulnerable Software and Affected Versions LangChain versions prior to 0.3.37 @langchain/core versions prior to 0.3.80 LangChain versions prior to 1.2.3 @langchain/core versions prior to 1.1.8 Description LangChain is a framework designed for building applications powered by Large...

LangChain 代码问题漏洞

LangChain is a LangChain open source framework for developing applications powered by the Large Language Model LLM. A code issue vulnerability exists in LangChain versions prior to 0.3.81 and prior to 1.2.5, which stems from serialization injection and could lead to the execution of arbitrary cod...

CVE-2025-66524

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without...

External Control of File Name or Path in Langflow

Vulnerability Overview If an arbitrary path is specified in the request body's fspath, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths e.g., /etc/poc.txt ar...

GHSA-V4P2-2W39-MHRJ Apache NiFi GetAsanaObject Processor has Remote Code Execution via Unsafe Deserialization

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without...

EUVD-2025-204524

Apache NiFi GetAsanaObject Processor has Remote Code Execution via Unsafe Deserialization...

CVE-2025-66524 Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without...

CVE-2025-66524 Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without...

CVE-2025-66524

The vulnerability concerns Apache NiFi GetAsanaObject Processor (NiFi 1.20.0–2.6.0) which uses unfiltered Java Object serialization/deserialization with a Distribute Map Cache Client Service for state. The root cause is unsafe deserialization of crafted state data stored in the configured cache s...

PT-2025-52439

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.20.0 through 2.6.0 Description The GetAsanaObject Processor in Apache NiFi utilizes a Distribute Map Cache Client Service for state management. This processor employs Java Object serialization and deserialization without...

SUSE CVE-2025-68224

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

CVE-2025-68296 drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup

In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vgaswitcheroo: Avoid race condition in fbcon setup Protect vgaswitcherooclientfbset with console lock. Avoids OOB access in fbconremapall. Without holding the console lock the call races with switching outputs. VGA...

CVE-2025-68224 scsi: core: Fix a regression triggered by scsi_host_busy()

In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix a regression triggered by scsihostbusy Commit 995412e23bb2 "blk-mq: Replace tags-lock with SRCU for tag iterators" introduced the following regression: Call trace: srcureadlock+0x30/0x80 P...

Security Bulletin: Vulnerability in Java SE affects IBM Netezza Appliance

Summary The Java SE package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVEs CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235 Vulnerability Details CVEID:CVE-2024-21208 DESCRIPTION: Vulnerability in Java SE component: Networking. Difficult t...

CVE-2025-13743

Docker Desktop diagnostics bundles were found to include expired Hub PATs in log output due to error object serialization. This poses a risk of leaking sensitive information in exported diagnostics, especially when access denied errors occurred...

CVE-2025-13743 Expired Personal Access Tokens (PATs) are recorded in Docker Desktop diagnostic logs

Docker Desktop diagnostics bundles were found to include expired Hub PATs in log output due to error object serialization. This poses a risk of leaking sensitive information in exported diagnostics, especially when access denied errors occurred...