LangChain CVE-2025-68664: How PII Leaks Through Your RAG Pipeline
Updated for 2026.
A critical flaw was found in LangChain in late 2025. The CVE is CVE-2025-68664. The CVSS score is 9.3 (Critical).
It targets LangChain's serialization code.
What CVE-2025-68664 Does
LangChain has two serialization functions: dumps() and dumpd(). They convert Python objects to text.
The flaw is in closure handling.
When LangChain serializes a callable, it captures the closure context.
An attacker who controls the LLM response can trigger dumps(). The function then reads environment variables from the Python process.
The result is data exposure. API keys, database strings, JWT secrets, and AWS credentials can appear in model output.
An attacker who injects text into a RAG source document can read your production secrets.
Affected versions: LangChain below 0.3.22 (Python). Version 0.3.22 has the fix.
PyPI data shows wide use of older versions through March 2026.
How PII Leaks in RAG Pipelines
CVE-2025-68664 is dramatic. But it is just one case of a broader problem.
Data leaks through RAG pipelines routinely. No attacker is needed.
Here is a standard enterprise RAG setup.
First, ingestion. You index company documents into a vector store. Think support tickets, customer emails, contracts, and HR records.
Common vector stores are Pinecone, Weaviate, and pgvector.
Next, retrieval. A user asks a question. The system pulls the five most relevant chunks from the store.
Then, generation. Those chunks go to an LLM — GPT-4o, Claude, or Gemini — as context.
Step two is the problem. Retrieved chunks hold whatever the source documents held. That includes:
- Customer names, email addresses, and phone numbers
- Contract values, account numbers, and tax identifiers
- Employee salary data and performance review notes
- Patient names in clinical notes
- National ID numbers in immigration files
That data goes to the LLM as-is. It can appear in model output.
It gets logged by the LLM provider. It sits in your conversation history. It flows into your observability stack.
No attack is needed. This is how RAG works by design. The design creates real privacy risk.
68 Secret Patterns in Enterprise Document Stores
Security tooling tracks 68 known secret patterns. They appear more often than teams expect.
Here are the most common ones.
- AWS Access Key IDs (
AKIA...) - OpenAI API keys (
sk-...) - Anthropic API keys (
sk-ant-...) - Database URIs (
postgresql://user:password@host/db) - JWT tokens (base64-encoded headers)
- GitHub Personal Access Tokens
- Stripe secret keys (
sk_live_...) - SendGrid API keys
- Twilio account SIDs and auth tokens
- Private key PEM blocks
A support ticket might hold a customer API key from a debug session.
A contract might include database credentials from a technical handoff.
A config file indexed by mistake can expose an entire secrets store.
When these files enter a vector store without sanitization, every query can pass the secrets to the LLM.
They may reach the end user too.
Fix It: Anonymize Before Embedding
The right approach anonymizes documents before chunking and embedding.
This step is required for any system that handles customer data.
Here is a Python example using the anonym.legal API:
import requests
import os
ANONYM_API_KEY = os.environ["ANONYM_API_KEY"]
ANONYM_BASE_URL = "https://anonym.legal/api"
def anonymize_before_embedding(text: str) -> tuple[str, dict]:
"""Anonymize PII before embedding."""
response = requests.post(
f"{ANONYM_BASE_URL}/presidio/anonymize",
json={
"text": text,
"language": "en",
"anonymizers": {
"DEFAULT": {"type": "replace", "new_value": "[REDACTED]"},
"PERSON": {"type": "mask", "masking_char": "*", "chars_to_mask": 4, "from_end": False},
"EMAIL_ADDRESS": {"type": "replace", "new_value": "[EMAIL]"},
"PHONE_NUMBER": {"type": "replace", "new_value": "[PHONE]"},
"CRYPTO": {"type": "replace", "new_value": "[SECRET]"},
"URL": {"type": "keep"},
}
},
headers={"Authorization": f"Bearer {ANONYM_API_KEY}"}
)
result = response.json()
return result["text"], result.get("items", [])
def build_rag_index(documents: list[str], vectorstore):
"""Build a RAG index with clean documents only."""
anonymized_docs = []
for doc in documents:
clean_text, entities = anonymize_before_embedding(doc)
anonymized_docs.append(clean_text)
print(f"Removed {len(entities)} PII entities from document")
vectorstore.add_texts(anonymized_docs)
The anonym.legal API covers 285+ entity types. Names, emails, phone numbers, national IDs, API keys, and database URIs are all caught.
Nothing sensitive reaches the vector store. So nothing sensitive can leak to users.
See the developer guide for LangChain and LlamaIndex setup patterns.
Fix CVE-2025-68664 Right Now
If you run LangChain below 0.3.22, update now:
pip install "langchain>=0.3.22" "langchain-core>=0.3.22"
After patching, check your chain configs for injection risk. Here are three steps to take.
First, validate retrieved chunks. Do this before they reach the LLM.
Strip content that matches injection patterns such as ignore previous instructions, system:, or <INST>.
Second, anonymize before embedding. This shrinks the attack surface.
If injection does occur, the sensitive data is not there to extract.
Third, restrict chain permissions. LangChain chains should not read environment variables beyond what they need.
Use a service account with minimal scope.
The Math Is Simple
The CVSS score is 9.3. The fix is one API call per document.
The combination of CVE-2025-68664 and general RAG data risk is a real liability.
The solution is clear: anonymize at ingestion, not at query time.
Check the security and compliance overview for enterprise RAG requirements.
Sources
- NVD CVE-2025-68664, CVSS 9.3, LangChain serialization vulnerability
- LangChain security advisory, langchain-ai/langchain GitHub, 2025
- OWASP LLM Top 10: LLM01 Prompt Injection, LLM06 Sensitive Information Disclosure
- anonym.legal entity type documentation — 285+ supported entity types