Langchain.Js
Approved changes feed: RSS · Atom
cpe:2.3:a:langchain:langchain.js:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Langchain (3bec1db6-30f1-5f7c-8067-d161076b8e16) |
|---|---|
| Product | Langchain.Js (691154ab-7b89-589f-9b80-30b5a25a8d92) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/langchain-ai/langchainjs |
purl2cpe | 2026-06-01 10:15:38.735913 |
pkg:npm/langchain |
purl2cpe | 2026-06-01 10:15:38.735914 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-68665 |
vulnerable | 2026-06-08 07:41:21.588600 |
LangChain serialization injection vulnerability enables secret extraction
HIGH (8.6)
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3
Published: 2025-12-23T22:56:04.837Z
Updated: 2025-12-24T14:38:40.268Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.