CVE-2025-46059
Published: 29 July 2025
Summary
CVE-2025-46059 is a critical-severity Code Injection (CWE-94) vulnerability in Langchain (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 49.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain; MITRE ATLAS techniques in scope: Triggered (AML.T0051.002).
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of untrusted email inputs to the GmailToolkit to block crafted messages enabling indirect prompt injection.
Prevents arbitrary code execution triggered by injected prompts through memory protections like DEP and ASLR.
Requires timely remediation of the specific flaw in langchain-ai v0.3.51 via patching or secure updates.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The indirect prompt injection vulnerability in GmailToolkit enables arbitrary code execution when processing crafted email messages, aligning with exploitation of client-side software vulnerabilities for execution.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
NVD Description
langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message. NOTE: this is disputed by the Supplier because…
more
the code-execution issue was introduced by user-written code that does not adhere to the LangChain security practices.
Deeper analysisAI
CVE-2025-46059 is an indirect prompt injection vulnerability affecting langchain-ai version 0.3.51, specifically within the GmailToolkit component. This flaw enables attackers to execute arbitrary code and compromise the application through a crafted email message. The issue has been disputed by the supplier, who attributes the code-execution risk to user-written code that fails to adhere to LangChain security practices.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over a network with low complexity, no privileges or user interaction required. Remote attackers who can send a malicious email to a Gmail account monitored by the affected GmailToolkit can trigger the injection, potentially achieving high-impact confidentiality, integrity, and availability violations through arbitrary code execution.
Advisories and references, including LangChain's security documentation at python.langchain.com/docs/security/ and GitHub issues such as langchain-ai/langchain-community/issues/217#issuecomment-3144824471 and langchain-ai/langchain/issues/30833, highlight the dispute and emphasize adherence to established security practices. Additional details are available in the CVE write-up at github.com/Jr61-star/CVEs/blob/main/CVE-2025-46059.md, with no specific patches detailed in the provided information.
LangChain, used in AI and machine learning applications for building LLM chains, underscores the relevance of this vulnerability to secure prompt handling in AI workflows, though no real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- Classification Reason
- LangChain is a framework for building AI agents and applications with LLMs, and the vulnerability is in the GmailToolkit component, which provides tool integrations for agents to interact with external services like Gmail.