LangChain Vulnerability Alert: CVE-2025-65106 – Template Injection Risks

Overview

This article details CVE-2025-65106, a critical template injection vulnerability discovered in LangChain, a popular framework for building agents and LLM-powered applications. The vulnerability allows attackers to potentially access Python object internals through template syntax, posing a significant risk to applications that accept untrusted template strings.

Technical Details

CVE-2025-65106 affects LangChain versions 0.3.79 and prior, as well as versions 1.0.0 through 1.0.6. The vulnerability resides in LangChain’s prompt template system, specifically within ChatPromptTemplate and related prompt template classes. An attacker can exploit this flaw by injecting malicious code into template strings if the application doesn’t properly sanitize or validate the input. This allows access to sensitive internal Python objects potentially leading to information disclosure or arbitrary code execution.

CVSS Analysis

Currently, the CVSS score for CVE-2025-65106 is not available (N/A). However, given the nature of a template injection vulnerability and the potential for sensitive data exposure or code execution, it is advisable to treat this vulnerability with high severity until an official CVSS score is released. A full CVSS analysis will be provided here as soon as it’s available.

Possible Impact

Successful exploitation of CVE-2025-65106 can have severe consequences, including:

• Information Disclosure: Attackers could potentially access sensitive data stored within the application’s memory.
• Remote Code Execution (RCE): In the worst-case scenario, an attacker could execute arbitrary code on the server hosting the LangChain application, potentially compromising the entire system.
• Denial of Service (DoS): By injecting malicious templates, an attacker could cause the application to crash or become unresponsive.

Mitigation and Patch Steps

To mitigate the risk of CVE-2025-65106, it is strongly recommended to upgrade LangChain to the patched versions:

• Upgrade to version 0.3.80 or later if using the 0.3.x branch.
• Upgrade to version 1.0.7 or later if using the 1.x branch.

Additionally, as a general security best practice, avoid accepting untrusted template strings directly from user input. Implement robust input validation and sanitization to prevent malicious code injection. Consider using parameterized queries or similar techniques to separate code from data.

References

• LangChain Security Advisory: GHSA-6qv9-48xg-fc7f
• Commit fixing the issue (commit c4b6ba2): c4b6ba254e1a49ed91f2e268e6484011c540542a
• Commit fixing the issue (commit fa7789d): fa7789d6c21222b85211755d822ef698d3b34e00