CVE-2025-9556CRITICAL 9.8EPSS p46.9%

CVE-2025-9556CVE-2025-9556

Description

Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3. Gonja supports include and extends syntax to read files, which leads to a server side template injection vulnerability within langchaingo, allowing an attacker to insert a statement into a prompt to read the "etc/passwd" file.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.67% probability of exploitation · percentile 46.9% · 2026-06-19T12:03:05Z
Published2025-09-12
Last modified2026-04-15

References

  1. https://github.com/tmc/langchaingo/pull/1348
  2. https://github.com/tmc/langchaingo/security/advisories/GHSA-mgcj-g55g-rf6h
  3. https://www.kb.cert.org/vuls/id/949137

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34070
CVE
CVE-2025-45150
CVE
CVE-2026-27966
CVE
CVE-2025-61732
CVE
CVE-2025-68664
CVE
CVE-2025-68665
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.