LangChain serialization injection vulnerability enables secret extraction
- Severity:
- High
Description
A serialization injection vulnerability exists in LangChain JS’s toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects.
Recommendation
Update the langchain package to the latest compatible version. Followings are version details:
Affected version(s): **< 0.3.37 >= 1.0.0, < 1.2.3** Patched version(s): **0.3.37 1.2.3**
References
Related Issues
- jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - CVE-2026-24001
- Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
- Elliptic's ECDSA missing check for whether leading bit of r and s is zero - CVE-2024-42460
- Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 10 - Vulnerability
- Tags:
- npm
- langchain
Anything's wrong? Let us know Last updated on December 24, 2025