CVE-2025-46059
Published: 29 July 2025
Summary
CVE-2025-46059 is a critical-severity Code Injection (CWE-94) vulnerability in Langchain (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 49.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: Triggered (AML.T0051.002).
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-46059 is an indirect prompt injection vulnerability affecting langchain-ai version 0.3.51, specifically within the GmailToolkit component. This flaw enables attackers to execute arbitrary code and compromise the application through a crafted email message. The issue has been disputed by the supplier, who attributes the code-execution risk to user-written code that fails to adhere to LangChain security practices.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over a network with low complexity, no privileges or user interaction required. Remote attackers who can send a malicious email to a Gmail account monitored by the affected GmailToolkit can trigger the injection, potentially achieving high-impact confidentiality, integrity, and availability violations through arbitrary code execution.
Advisories and references, including LangChain's security documentation at python.langchain.com/docs/security/ and GitHub issues such as langchain-ai/langchain-community/issues/217#issuecomment-3144824471 and langchain-ai/langchain/issues/30833, highlight the dispute and emphasize adherence to established security practices. Additional details are available in the CVE write-up at github.com/Jr61-star/CVEs/blob/main/CVE-2025-46059.md, with no specific patches detailed in the provided information.
LangChain, used in AI and machine learning applications for building LLM chains, underscores the relevance of this vulnerability to secure prompt handling in AI workflows, though no real-world exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23002
Vulnerability details
langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this is disputed by the Supplier because…
more
the code-execution issue was introduced by user-written code that does not adhere to the LangChain security practices.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- Classification Reason
- Matched keywords: ai, langchain, prompt injection
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The indirect prompt injection vulnerability in GmailToolkit enables arbitrary code execution when processing crafted email messages, aligning with exploitation of client-side software vulnerabilities for execution.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of untrusted email inputs to the GmailToolkit to block crafted messages enabling indirect prompt injection.
Prevents arbitrary code execution triggered by injected prompts through memory protections like DEP and ASLR.
Requires timely remediation of the specific flaw in langchain-ai v0.3.51 via patching or secure updates.