CVE-2025-68664 (langchain-core): object confusion during (de)serialization can leak secrets (and in some cases escalate further). Details and mitigations in the post.
The best part about this is that you know the type of people/companies using langchain are likely the type that are not going to patch this in a timely manner.
Cheers to all the teams on sev1 calls on their holidays, we can only hope their adversaries are also trying to spend time with family. LangGrinch, indeed! (I get it, timely disclosure is responsible disclosure)
LLM slop. At least one clear error (hallucination): "’Twas the night before Christmas, and I was doing the least festive kind of work: staring at serialization"
Per disclosure timeline the report was made on December 4, it was definitely not the night before Christmas when you were doing the work then.
10 comments
[ 27.7 ms ] story [ 1014 ms ] threadI would rather just read the original prompt that went in instead of verbosified "it's not X, it's **Y**!" slop.
Ugh. I’m a native English speaker and this sounds wrong, massaged by LLM or not.
“Large blast radius” would be a good substitute.
I am happy this whole issue doesn’t affect me, so I can stop reading when I don’t like the writing.
Per disclosure timeline the report was made on December 4, it was definitely not the night before Christmas when you were doing the work then.
I wonder if this code was written by an LLM hahaha