10 comments

[ 27.7 ms ] story [ 1014 ms ] thread
CVE-2025-68664 (langchain-core): object confusion during (de)serialization can leak secrets (and in some cases escalate further). Details and mitigations in the post.
WHY on earth did the author of the CVE feel the need to feed the description text through an LLm? I get dizzy when I see this AI slop style.

I would rather just read the original prompt that went in instead of verbosified "it's not X, it's **Y**!" slop.

The best part about this is that you know the type of people/companies using langchain are likely the type that are not going to patch this in a timely manner.
Cheers to all the teams on sev1 calls on their holidays, we can only hope their adversaries are also trying to spend time with family. LangGrinch, indeed! (I get it, timely disclosure is responsible disclosure)
Meanwhile Harrison Chase is laughing his way to the bank
> The blast radius is scale

Ugh. I’m a native English speaker and this sounds wrong, massaged by LLM or not.

“Large blast radius” would be a good substitute.

I am happy this whole issue doesn’t affect me, so I can stop reading when I don’t like the writing.

What're the odds they've licenced the Grinch character for use on their company blog?
LLM slop. At least one clear error (hallucination): "’Twas the night before Christmas, and I was doing the least festive kind of work: staring at serialization"

Per disclosure timeline the report was made on December 4, it was definitely not the night before Christmas when you were doing the work then.

Security research often looks dramatic from the outside. In reality, it is usually the mundane work of asking AI to make up dramatic stories
The vulnerability was that dumps() and dumpd() did not properly escape user-controlled dictionaries that happened to include the reserved ‘lc’ key.

I wonder if this code was written by an LLM hahaha