Critical Vulnerability in LangChain Core Exposes Secrets and Enables Prompt Injection
Executive Summary
In December 2025, a critical vulnerability was disclosed in LangChain Core, a widely used Python package within the LangChain open-source ecosystem. Attackers were able to exploit a flaw in the serialization process, resulting in exposure of sensitive secrets and the ability to manipulate large language model (LLM) responses via prompt injection. The underlying vulnerability allowed threat actors to craft malicious payloads, leading to remote code execution in environments where untrusted input could be serialized, posing major risks to organizations relying on LangChain-powered AI workflows. This supply-chain attack path also opened the door for access to credentials and proprietary data.
This incident highlights the expanding threat landscape targeting AI infrastructure and software supply chains. With the surge of enterprise adoption of AI and LLMs, vulnerabilities in core AI frameworks are increasingly attractive to threat actors, underscoring regulatory scrutiny and the need for robust code security practices within open-source dependencies.
Why This Matters Now
The exploitation of core vulnerabilities in widely adopted AI frameworks like LangChain shows how rapidly evolving supply-chain threats put sensitive data at risk. As organizations accelerate LLM adoption, attackers are pivoting to target open-source dependencies and serialization flaws, making secure software supply chains and prompt vulnerability mitigation more urgent than ever.
Attack Path Analysis
The attack began with an adversary leveraging a serialization injection vulnerability in LangChain Core, resulting in the compromise of the software supply chain. Upon gaining entry, the attacker escalated privileges by extracting sensitive secrets and credentials exposed via improper serialization handling. Next, the attacker moved laterally within the cloud environment, possibly accessing interconnected workloads or services by exploiting insufficient segmentation. Establishing command and control, the attacker communicated covertly out of the cloud by leveraging outbound connections and undetected traffic flows. Sensitive data, including secrets, were exfiltrated using allowed egress paths. Ultimately, the attacker could manipulate LLM responses or disrupt business operations, affecting integrity and the reliability of AI-based systems.
Kill Chain Progression
Initial Compromise
Description
Exploitation of the LangChain Core serialization injection vulnerability in a software supply chain update or trusted component to gain foothold in the target cloud workload.
Related CVEs
CVE-2025-68664
CVSS 9.3A serialization injection vulnerability in LangChain's dumps() and dumpd() functions allows attackers to inject malicious objects during deserialization, potentially leading to secret extraction or arbitrary class instantiation.
Affected Products:
Langchain-ai langchain – < 0.3.81, >= 1.0.0, < 1.2.5
Exploit Status:
proof of conceptCVE-2025-68665
CVSS 8.6A serialization injection vulnerability in LangChain JS's toJSON() method allows attackers to inject malicious objects during deserialization, potentially leading to secret extraction or arbitrary class instantiation.
Affected Products:
Langchain-ai @langchain/core – < 0.3.80, >= 1.0.0, < 1.1.8
Langchain-ai langchain – < 0.3.37, >= 1.0.0, < 1.2.3
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Command and Scripting Interpreter: Python
User Execution: Malicious File
Modify Authentication Process: Network Device Authentication
Exploit Public-Facing Application
Indicator Removal: File Deletion
Network Sniffing
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Stored Account Data
Control ID: 3.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Application and Workload Security: Secure Software Development
Control ID: 3.4
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
LangChain Core serialization vulnerability exposes software development supply chains to credential theft and LLM prompt injection attacks affecting AI-integrated applications.
Financial Services
Critical supply-chain flaw threatens AI-powered financial applications using LangChain, enabling secret extraction and model response manipulation in automated trading systems.
Health Care / Life Sciences
Healthcare AI systems utilizing LangChain Core face HIPAA compliance risks through serialization injection attacks compromising patient data and clinical decision models.
Information Technology/IT
IT infrastructure integrating LangChain frameworks vulnerable to supply-chain attacks enabling lateral movement and zero trust policy bypass through compromised AI components.
Sources
- Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injectionhttps://thehackernews.com/2025/12/critical-langchain-core-vulnerability.htmlVerified
- LangChain serialization injection vulnerability enables secret extractionhttps://github.com/advisories/GHSA-r399-636x-v7f6Verified
- CVE-2025-68664 - Critical Vulnerability - TheHackerWirehttps://www.thehackerwire.com/vulnerability/CVE-2025-68664/Verified
- LangChain Vulnerability LangGrinch Exposes AI Secretshttps://theoutpost.ai/news-story/critical-lang-grinch-flaw-in-lang-chain-core-exposes-ai-agent-secrets-and-enables-prompt-injection-22617/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, egress policy enforcement, inline threat detection, and complete cloud visibility would have significantly constrained the attacker's ability to move laterally, exfiltrate data, or manipulate workloads across the cloud estate.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Real-time inline inspection can block malicious supply chain traffic.
Control: Multicloud Visibility & Control
Mitigation: Centralized logging and alerting enables rapid detection of suspicious privilege elevation.
Control: Zero Trust Segmentation
Mitigation: Identity-based microsegmentation limits the attack surface and blocks unauthorized east-west movement.
Control: Egress Security & Policy Enforcement
Mitigation: Strict egress controls prevent unauthorized external communication channels.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous exfiltration patterns are detected and alerted in real time.
Workload isolation within Kubernetes clusters reduces blast radius of successful compromise.
Impact at a Glance
Affected Business Functions
- Data Processing
- AI Model Training
- Application Development
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive environment variables, including API keys and credentials, leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Strengthen supply chain controls and implement real-time inline inspection of all cloud ingress points for early threat blocking.
- • Apply granular zero trust segmentation and east-west workload isolation to prevent lateral movement from compromised services.
- • Enforce rigorous egress policies with FQDN and application-layer controls to block unauthorized external communications and data exfiltration.
- • Enable comprehensive, centralized cloud observability and anomaly detection to accelerate detection and response of privilege escalations or suspicious behavior.
- • Harden Kubernetes clusters with namespace-level firewalling and identity-based microsegmentation to reduce the blast radius of future vulnerabilities.
