CVE-2025-65106: 
Python vulnerability analysis and mitigation

A template injection vulnerability (CVE-2025-65106) was discovered in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. The vulnerability affects applications using ChatPromptTemplate and related prompt template classes that accept untrusted template strings. The issue was disclosed on November 19, 2025, affecting langchain-core package versions <1.0.6,>=1.0.0 and <=0.3.79, with patches available in versions 1.0.7 and 0.3.80 (GitHub Advisory).

The vulnerability exists in three template formats: F-string, Mustache, and Jinja2. The root cause in F-string templates stemmed from using Python's string.Formatter().parse() without proper validation, allowing attribute access and indexing expressions. While method calls with () were not supported, the templates allowed attribute access (.) and indexing ([]) syntax, which could be exploited. For Mustache templates, the issue arose from using getattr() as a fallback for attribute access. Jinja2 templates' default SandboxedEnvironment allowed access to non-dunder attributes and methods. The vulnerability has a CVSS score of 8.3 (High) with a vector string of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

Attackers who can control template strings can access Python object attributes and internal properties via attribute traversal, extract sensitive information from object internals (e.g., class, globals), and potentially escalate to more severe attacks depending on the objects passed to templates. The impact is particularly significant when using MessagesPlaceholder with chat message objects, as attackers can traverse through object attributes and dictionary lookups to reach sensitive data such as environment variables (GitHub Advisory).

The fixes include strict validation for F-string templates to enforce valid Python identifiers and reject attribute access syntax, defensive hardening for Mustache templates to only allow traversal into dict, list, and tuple types, and restricted Jinja2 template capabilities through a _RestrictedSandboxedEnvironment that blocks all attribute/method access. Users should update to patched versions (1.0.7 or 0.3.80), audit code for untrusted template sources, and consider using direct message objects instead of templates where possible. For applications requiring templates with untrusted input, it's recommended to use f-string or mustache templates with the new restrictions instead of Jinja2 (GitHub Advisory).