NIXER-2026-0002

LangChain: Serialization Injection (CVE-2025-68664)

Critical CVSS 9.8 Supply Chain Patched
Affected Project
Discovered
June 1, 2026
Published
June 1, 2026
Author
Nixer Security Research

Summary

CVE-2025-68664: LangChain's serialization of agent state uses Python's pickle module without sufficient sandboxing, allowing remote code execution via a crafted serialized payload passed through a conversation chain.

Technical Details

LangChain's AgentExecutor serializes checkpoint state using Python's pickle format. When checkpointing is enabled in a LangGraph agent, a malicious serialized agent state can be injected via the conversation store. Deserialization triggers arbitrary code execution on the server.

Impact

Remote code execution on any LangChain agent that uses serialization for state management. Affects both open-source and enterprise deployments.

Affected Versions

LangChain < 0.3.15 (confirmed vulnerable)

Remediation

Upgrade to LangChain 0.3.15 or later. Replace PickleCheckpointSaver with JSON-based checkpoint storage. Disable pickle-based serialization in production environments.

Credit: Nixer Security Research — run your own security scan at nixer.polsia.app/try
Discovery method: Found by Nixer security scanner — run your own at https://nixer.polsia.app/try