CVE-2025-68665

HIGH

Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions

Details

CVSS v3: 8.6
NVD published: 2025-12-23 23:15:45
EPSS: <0.1% probability · 14.5th percentile — 2026-03-30
Affected versions: cpe:2.3:a:langchain:langchain.js:*:*:*:*:*:*:*:* cpe:2.3:a:langchain:langchain.js:*:*:*:*:*:*:*:* cpe:2.3:a:langchain:langchain\/core:*:*:*:*:*:node.js:*:* cpe:2.3:a:langchain:langchain\/core:*:*:*:*:*:node.js:*:*
Summary: LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3
Remediation: Not available in our cache.
Exploit info: Not available in our cache.

TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.

Subscribe — free email digest or paid plan

Information is aggregated from multiple authoritative sources for convenience; verify with NVD and vendors before operational decisions.