LangChain load() is basically eval()

In December 2025, CVE-2025-68665, a high-severity vulnerability (CVSS 8.6) was reported on LangChain. The vulnerability was an insecure deserialisation where an adversary could hijack secrets (e.g. OpenAI API keys), and depending on the set of allowed constructors (and their side effects), it could be escalated into arbitrary code execution. The patch for LangChain vulnerability CVE-2025-68665 disables loading secrets from environment variables by default, and introduces an escape wrapper to prevent injection. This is good, however, the underlying functionality is insecure-by-design and the root-cause has not been addressed. Read the full text: https://secdim.com/blog/post/langchain-load-is-basically-eval-17661/

LangChain load() is basically eval()

Related Articles

I tested a Samsung Galaxy Z Fold 7 rival with a design I didn't think was ever possible

First Post for AppDev II!

A mission NASA might kill is still returning fascinating science from Jupiter

Playbit runtime

Trump's MAHA pick for surgeon general flounders amid GOP doubts

Related Articles

News
I tested a Samsung Galaxy Z Fold 7 rival with a design I didn't think was ever possible
ZDNet • 1w ago

News
First Post for AppDev II!
Dev.to • 1w ago

News
A mission NASA might kill is still returning fascinating science from Jupiter
Ars Technica • 1w ago

News
Playbit runtime
Lobsters • 1w ago

News
Trump's MAHA pick for surgeon general flounders amid GOP doubts
Ars Technica • 1w ago