LangChain Core has been found to have a serious security vulnerability. An attacker could use prompt injection to manipulate large language model (LLM) responses and steal confidential information. The vulnerability has a CVSS score of 9.3 out of 10 and is tracked as CVE-2025-68664.

For the best protection, users are encouraged to update to a patched version as soon as possible. Notably, there is a comparable serialization injection vulnerability. This also results from improperly escaping objects with "lc" keys in LangChain.js. The CVE identifier for this vulnerability is CVE-2025-68665 (CVSS score: 8.6).

The npm packages @langchain/core >= 1.0.0, < 1.2.5, < 0.3.81, and langchain_community are affected.

The LangChain patch adds new restrictive defaults in load() and loads() by using the "allowed_objects" allowlist parameter, which lets users designate which classes can be serialized or deserialized. Additionally, the "secrets_from_env" option is now set to "False" to prevent automatic secret loading from the environment, and Jinja2 templates are blocked by default. The vulnerability affects the following langchain-core versions: @langChain/core < 0-3.80 (fixed in 0.4.80) • langchain >= 1-0-1.0 (resolved in 1.1.8) • @ langchain/Core < 0 -3.0 -0.3 -0-0.37 ( fixed in 0.5.37)