## LangChain 0.2.5 Package Exposes 11 Critical Vulnerabilities, Including 9.3 CVSS Score Flaw A critical security scan has flagged the widely-used LangChain 0.2.5 Python package as containing 11 distinct vulnerabilities, with the most severe scoring a 9.3 on the CVSS scale. This finding exposes a significant security risk for any application built on this foundational AI framework, which is designed for constructing large language model (LLM) applications through composability. The vulnerabilities are not merely theoretical; the report explicitly marks them as 'reachable,' indicating a direct and exploitable path for potential attackers within the application's dependency chain. The primary vulnerability, CVE-2025-68664, is classified as critical and resides in the transitive dependency `langchain_core-0.2.43`. With a CVSS score of 9.3, it represents a severe threat, though its exploit maturity is currently 'Not Defined.' A second high-severity flaw, CVE-2025-65106, carries a CVSS score of 8.2. Alarmingly, the report indicates that for the critical CVE-2025-68664, no remediation is currently available ('Fixed in: N/A'), and no patch is immediately accessible, leaving developers with limited options for mitigation. This situation places immense pressure on development teams and organizations relying on LangChain for AI-driven applications. The presence of multiple high and critical-severity, reachable vulnerabilities in a core dependency signals a pressing security debt. It forces a difficult choice: continue using a vulnerable version and accept the risk, or halt development and deployment until a fix is issued. The incident underscores the hidden risks within the AI software supply chain, where a single vulnerable transitive dependency can compromise the security posture of entire application ecosystems built for cutting-edge technology. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: AI Security, Software Supply Chain, Vulnerability, Python, LLM - **Credibility**: unverified - **Published**: 2026-03-27 22:27:17 - **ID**: 38442 - **URL**: https://whisperx.ai/en/intel/38442