al-ice.ai

Microsoft Security Blog — LangChain Core serialization injection (CVE-2025-68664)

• Category: AI CVEs

AI relevance: LangChain Core sits directly in the execution path of many LLM agents (tool calls, state, memory), so a serialization/deserialization flaw can become a reliable bridge from “untrusted agent inputs” to secrets access or code-adjacent side effects.

  • What happened: Microsoft published a case study on LangGrinch (CVE-2025-68664), described as a serialization injection issue in langchain-core.
  • Core mechanic (per Microsoft): LangChain uses a reserved key (lc) to distinguish “plain data” from “serialized LangChain objects”.
  • Bug class: when user-controlled dictionaries containing lc flow through serialization (dumps()/dumpd()) and later deserialization, the framework may treat attacker data as a trusted object and reconstruct it.
  • Impact (per Microsoft): possible secrets extraction (e.g., environment variables), unintended class instantiation, and side effects during object initialization.
  • Why this matters for agents: agents routinely ingest semi-structured data from tools (web pages, tickets, emails, JSON blobs). If that data can smuggle control markers, you get an “injection” primitive below the prompt layer.
  • Fix versions (per Microsoft): upgrade langchain-core to 0.3.81+ (for 0.3.x) or 1.2.5+ (for 1.x).
  • Operational angle: Microsoft ties this to AI application supply chain posture: inventory where LangChain is deployed (containers, VMs, code envs) and track vulnerable versions as first-class risk.

Why it matters

  • “Data vs control” separation: agent ecosystems pass dictionaries everywhere; a reserved key used as a control signal is a sharp edge if it’s not aggressively escaped/validated.
  • Secrets are nearby: agent runtimes commonly have API keys (LLM providers, SaaS tools) in env vars; anything that turns “parse this dict” into “instantiate this object” can become a secrets pipeline.
  • Supply chain reality: even if your prompt injection defenses are solid, a vulnerable orchestration library is still an exploit surface.

What to do

  1. Patch now: update langchain-core to the fixed versions referenced above (and rebuild/redeploy images, not just source code).
  2. Find exposure: inventory where langchain-core is installed (prod containers, notebooks, “utility” lambdas, internal agent services) and map versions.
  3. Harden deserialization: treat any reserved control markers (lc-like fields) as tainted when they come from tool outputs, user uploads, or external systems; add validation at boundaries.
  4. Reduce blast radius: run agent workers with minimal env secrets; prefer workload identity / scoped tokens and deny outbound network by default where feasible.

Sources