A new report out today from artificial intelligence security startup Cyata Security Ltd. details a recently uncovered critical vulnerability on langchain-core, the foundational library behind LangChain-based agents used widely in artificial intelligence production environments.

The vulnerability, tracked as CVE-2025-68664 and dubbed “LangGrinch,” has a Common Vulnerability Scoring System score of 9.3. The vulnerability can allow attackers to exfiltrate sensitive secrets from affected systems and could potentially escalate to remote code execution under certain conditions.

Langchain-core sits at the heart of the agentic AI ecosystem and acts as a core dependency for countless frameworks and applications. According to Cydata, public package download trackers show langchain-core at approximately 847 million total downloads, with tens of millions of downloads in the last 30 days. The broader LangChain package has about 98 million downloads per month, highlighting how deeply embedded the vulnerable component is across modern AI workflows.

LangGrinch occurs thanks to a serialization and deserialization injection vulnerability in langchain-core’s built-in helper functions. An attacker can exploit the vulnerability by steering an AI agent through prompt injection into generating crafted structured outputs that include LangChain’s internal marker key. Because the marker key is not properly escaped during serialization, the data can later be deserialized and interpreted as a trusted LangChain object rather than untrusted user input.

“What makes this finding interesting is that the vulnerability lives in the serialization path, not the deserialization path,” explained Yarden Porat, a security researcher at Cyata. “In agent frameworks, structured data produced downstream of a prompt is often persisted, streamed and reconstructed later. That creates a surprisingly large attack surface reachable from a single prompt.”

Once the vulnerability is triggered, it can result in full environment variable exfiltration via outbound HTTP requests. The exposure may include cloud provider credentials, database and RAG connection strings, vector database secrets and large language model application programming interface keys.

Cyata’s researchers identified 12 distinct reachable exploit flows, highlighting how routine agent operations such as persisting, streaming and reconstructing structured data can unintentionally open an attack path.

Notably, the vulnerability exists in langchain-core itself and does not depend on third-party tools, integrations or connectors. Cyata emphasized that this makes the flaw particularly dangerous, since it lives in what the company described as the ecosystem’s “plumbing layer,” exercised continuously by many production systems.

Patches are now available in langchain-core versions 1.2.5 and 0.3.81 and Cyata is urging organizations to update immediately. Before going public with the details, Cyata ethically disclosed the details to the LangChain Maintainers, whom Cyata commended for decisive remediation and security hardening steps beyond the immediate fix.

“As agents move into production, the security question shifts from ‘what code do we run’ to ‘what effective permissions does this system end up exercising,’” said Cyata co-founder and Chief Executive Shahar Tal. “With agentic identities, you want tight defaults, clear boundaries and the ability to reduce blast radius when something goes wrong.”

Image: SiliconANGLE/Ideogram