Langchain/Core
Approved changes feed: RSS · Atom
cpe:2.3:a:langchain:langchain\/core:*:*:*:*:*:node.js:*:*
part: a version: * update: *
| Vendor | Langchain (3bec1db6-30f1-5f7c-8067-d161076b8e16) |
|---|---|
| Product | Langchain/Core (10e54c49-086e-54d0-a1cb-9d9540b16033) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | node.js |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-68665 |
vulnerable | 2026-06-08 07:41:21.589354 |
LangChain serialization injection vulnerability enables secret extraction
HIGH (8.6)
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3
Published: 2025-12-23T22:56:04.837Z
Updated: 2025-12-24T14:38:40.268Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.