Server‑Side Template Injection (SSTI) & Remote Code Execution in LangChain Core 1.2.4 (CVE‑2025‑68664)
What Happened – A server‑side template injection flaw in langchain_core.load allows an attacker to craft a malicious PromptTemplate that is deserialized and executed, leading to arbitrary command execution on the host running the library. The vulnerability affects all LangChain Core versions < 0.3.81 and < 1.2.5 and was publicly disclosed on 2025‑12‑29.
Why It Matters for TPRM –
- LangChain is widely embedded in AI‑driven SaaS products; a compromised dependency can give threat actors foothold in downstream services.
- The exploit works via unsafe deserialization, a common supply‑chain attack vector that bypasses traditional perimeter defenses.
- Successful exploitation can lead to credential leakage, data exfiltration, or full system takeover, amplifying third‑party risk.
Who Is Affected – AI/ML platforms, SaaS vendors, data‑science consulting firms, and any organization that incorporates LangChain Core < 1.2.5 into production workloads.
Recommended Actions –
- Inventory all applications that depend on LangChain Core and verify the library version.
- Immediately upgrade to ≥ 1.2.5 (or ≥ 0.3.81) where the deserialization guard is patched.
- Review CI/CD pipelines for unsafe
load/dumpsusage and enforce strict input validation. - Conduct a code‑review for any custom PromptTemplate constructions that may expose Jinja2 rendering.
Technical Notes – The flaw stems from unsafe deserialization (langchain_core.load) that does not sanitize the lc key, enabling an attacker‑controlled Jinja2 template to execute os.system calls. No CVE‑specific patch existed before the release of 1.2.5. Exploit code demonstrates environment variable leakage and command execution (id). Source: Exploit‑DB 52514