LangChain: Serialization Injection (CVE-2025-68664)
Summary
CVE-2025-68664: LangChain's serialization of agent state uses Python's pickle module without sufficient sandboxing, allowing remote code execution via a crafted serialized payload passed through a conversation chain.
Technical Details
LangChain's AgentExecutor serializes checkpoint state using Python's pickle format. When checkpointing is enabled in a LangGraph agent, a malicious serialized agent state can be injected via the conversation store. Deserialization triggers arbitrary code execution on the server.
Impact
Remote code execution on any LangChain agent that uses serialization for state management. Affects both open-source and enterprise deployments.
Affected Versions
LangChain < 0.3.15 (confirmed vulnerable)
Remediation
Upgrade to LangChain 0.3.15 or later. Replace PickleCheckpointSaver with JSON-based checkpoint storage. Disable pickle-based serialization in production environments.