CVE-2025-65106

Опубликовано: 21 нояб. 2025

Источник: redhat

CVSS3: 8.2

EPSS Низкий

Описание

LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings (not just template variables) in ChatPromptTemplate and related prompt template classes. This issue has been patched in versions 0.3.80 and 1.0.7.

A template-injection vulnerability in LangChain's prompt template system allowed untrusted template strings to access Python object internals through attribute traversal and indexing. By crafting malicious template expressions, an attacker could read sensitive properties (e.g., class, globals) from objects passed into the template, potentially exposing environment variables, configuration data, and other confidential runtime state. The issue affects applications that accept user-controlled template structures rather than just template variables.

Отчет

This vulnerability marked as an Important vulnerability rather than a Moderate flaw because the template injection pathway enables attackers to reach and traverse Python object internals, including attributes like class, dict, and potentially globals, when untrusted template structures are evaluated. This goes far beyond simple variable misuse: once an attacker can access internal object graphs, they may extract highly sensitive data such as environment variables, configuration objects, authentication tokens, or internal state held within LangChain message objects. The attack requires no privileges, no user interaction, and succeeds over a network whenever applications accept user-provided prompt templates—meaning the impact is systemic and not isolated to a single component. Although method execution is blocked, attribute traversal combined with indexing ([]) is still sufficient to expose confidential server-side data, creating a high confidentiality impact. Because the flaw allows reading sensitive runtime state rather than just causing template mis-renders or limited information exposure, the risk crosses the threshold from Moderate to Important.

Меры по смягчению последствий

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

Затронутые пакеты

Платформа	Пакет	Состояние
OpenShift Lightspeed	openshift-lightspeed/lightspeed-service-api-rhel9	Affected
Red Hat Ansible Automation Platform 2	ansible-automation-platform-24/de-minimal-rhel8	Not affected
Red Hat Ansible Automation Platform 2	ansible-automation-platform-24/de-minimal-rhel9	Not affected
Red Hat Ansible Automation Platform 2	ansible-automation-platform-24/de-supported-rhel8	Not affected
Red Hat Ansible Automation Platform 2	ansible-automation-platform-24/de-supported-rhel9	Not affected
Red Hat Ansible Automation Platform 2	ansible-automation-platform-24/ee-minimal-rhel8	Not affected
Red Hat Ansible Automation Platform 2	ansible-automation-platform-24/ee-minimal-rhel9	Not affected
Red Hat Ansible Automation Platform 2	ansible-automation-platform-24/ee-supported-rhel8	Not affected
Red Hat Ansible Automation Platform 2	ansible-automation-platform-24/ee-supported-rhel9	Not affected
Red Hat Ansible Automation Platform 2	ansible-automation-platform-24/lightspeed-rhel8	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-1336

https://bugzilla.redhat.com/show_bug.cgi?id=2416504langchain-core: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

EPSS

Процентиль: 25%

0.00086

Низкий

8.2 High

CVSS3

Связанные уязвимости

CVE-2025-65106

nvd

5 месяцев назад

GHSA-6qv9-48xg-fc7f

github