Full Report
A critical security flaw has been disclosed in LangChain Core that could be exploited by an attacker to steal sensitive secrets and even influence large language model (LLM) responses through prompt injection. LangChain Core (i.e., langchain-core) is a core Python package that's part of the LangChain ecosystem, providing the core interfaces and model-agnostic abstractions for building
Analysis Summary
# Vulnerability: Serialization Injection in LangChain Core Leading to Secret Exposure and Prompt Injection
## CVE Details
- CVE ID: Not explicitly provided in the text. (Placeholder: CVE-YYYY-XXXXX)
- CVSS Score: Not explicitly provided in the text. (Severity inferred as Critical)
- CWE: Related to Improper Input Validation/Deserialization (Inferred)
## Affected Systems
- Products: LangChain Core (`langchain-core`)
- Versions:
- `langchain-core`: Versions `< 1.2.3`
- `langchain`: Versions `< 0.3.37`
- Configurations: Systems utilizing LangChain Core for streaming operations where LLM response fields are deserialized.
## Vulnerability Description
A critical security flaw exists in LangChain Core related to serialization and deserialization processes, particularly within streaming operations. An attacker can leverage prompt injection techniques to control specific fields within LLM responses, such as `additional_kwargs` or `response_metadata`. This malicious input is then serialized and potentially deserialized inappropriately by the core package, leading to the execution of attacker-controlled code or the leakage of sensitive secrets. This represents a classic security failure where LLM output is treated as untrusted input, enabling a form of prompt injection that crosses into classic remote code execution or information disclosure vectors via deserialization.
## Exploitation
- Status: Highly concerning (Implied imminent threat given the criticality assessment).
- Complexity: Likely Low, as the vector relies on exploiting controllable fields via standard prompt injection.
- Attack Vector: Network (via crafted prompts sent to the LLM gateway integrated with LangChain).
## Impact
- Confidentiality: High (Potential theft of sensitive secrets).
- Integrity: High (Potential influence/manipulation of LLM responses beyond expected results).
- Availability: Low/Medium (Indirect impact, primarily focused on data compromise).
## Remediation
### Patches
- **`langchain-core`**: Update to version `1.2.3` or later.
- **`langchain`**: Update to version `0.3.37` or later.
### Workarounds
- Users are advised to update to a patched version as soon as possible for optimal protection, indicating that workarounds may be insufficient or difficult to implement without patching.
## Detection
- **Indicators of Compromise**: Anomalous behavior during streaming output processing, unexpected execution flows during or after LLM calls, or evidence of sensitive secrets being exfiltrated or accessed around the time of LLM request processing.
- **Detection Methods and Tools**: Monitoring serialization/deserialization endpoints for unexpected object types or payloads originating from user-controlled input paths (like LLM stream metadata). Security checks on LLM outputs before passing them to downstream deserialization functions.
## References
- Vendor Advisory Source: TheHackerNews (Implied vendor communication via article summary) (Defanged URL: hXXps://thehackernews.com/2025/12/critical-langchain-core-vulnerability.html)