All I Want for Christmas Is Your Secrets: LangGrinch hits LangChain Core

The best part about this is that you know the type of people/companies using langchain are likely the type that are not going to patch this in a timely manner.

CVE-2025-68664 (langchain-core): object confusion during (de)serialization can leak secrets (and in some cases escalate further). Details and mitigations in the post.

Cheers to all the teams on sev1 calls on their holidays, we can only hope their adversaries are also trying to spend time with family. LangGrinch, indeed! (I get it, timely disclosure is responsible disclosure)

Meanwhile Harrison Chase is laughing his way to the bank

WHY on earth did the author of the CVE feel the need to feed the description text through an LLm? I get dizzy when I see this AI slop style.

I would rather just read the original prompt that went in instead of verbosified "it's not X, it's **Y**!" slop.