CVE-2025-68664

CRITICAL

Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

Details

CVSS v3: 9.3
NVD published: 2025-12-23 23:15:44
EPSS: <0.1% probability · 11.3th percentile — 2026-03-16
Affected versions: cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:* cpe:2.3:a:langchain:langchain_core:*:*:*:*:*:python:*:*
Summary: LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Remediation: Not available in our cache.
Exploit info: https://github.com/langchain-ai/langchain/security/advisories/GHSA-c67j-w6g6-q2cm

TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.

Subscribe — free email digest or paid plan

Information is aggregated from multiple authoritative sources for convenience; verify with NVD and vendors before operational decisions.