Cyata Security Ltd. has revealed a critical vulnerability in langchain-core, known as “LangGrinch” (CVE-2025-68664), with a CVSS score of 9.3. This flaw enables attackers to exfiltrate sensitive data and could lead to remote code execution. Langchain-core is a key library underlying LangChain-based AI agents, boasting approximately 847 million downloads. The issue stems from a serialization bug, where an attacker can exploit prompt injection to generate responses that misinterpret untrusted input as trusted LangChain objects. This vulnerability creates multiple attack vectors in production systems. Immediate updates to langchain-core versions 1.2.5 and 0.3.81 are recommended to mitigate risks, as the flaw exists independently of third-party tools. Cyata’s disclosures highlight the importance of security in AI environments, prompting organizations to reassess permission management and mitigate potential risks effectively.
Source link
