The rise of large language model (LLM) applications has made frameworks like LangChain and its ports foundational for developers worldwide. But according to a recent CERT/CC Vulnerability Note, a critical flaw in LangChainGo, the Go implementation of LangChain, exposes users to severe risks.
The vulnerability, tracked as CVE-2025-9556 and rated with a CVSS score of 9.8, allows arbitrary file reads through the Gonja template engine. As CERT/CC warns, “Attackers can exploit this by injecting malicious prompt content to access sensitive files, leading to a server-side template injection (SSTI) attack.”
LangChainGo leverages Gonja, a Go-based implementation of the popular Python Jinja2 template engine. While intended to support flexible and reusable templates, the feature set opens the door to abuse.
“As Gonja supports Jinja2 syntax, an attacker could leverage directives such as {% include %}, {% from %}, or {% extends %} for malicious purposes within LangChainGo.”
By embedding such directives in a crafted prompt, an attacker could trick the system into reading sensitive files like /etc/passwd. This transforms ordinary chatbot prompts into vectors for server-side template injection—a powerful exploit class that can bypass traditional input validation.
The implications for LLM-driven environments are significant. In scenarios where users can freely submit prompts, attackers don’t need elevated privileges or backend access. Instead, malicious input alone could exfiltrate system data.
The advisory explains, “In LLM-based chatbot environments that use LangChainGo, attackers would only need access to the prompt to maliciously craft and exploit the prompt.”
This kind of low-barrier exploitation dramatically increases risk, particularly for developers deploying chatbots and agents in production without strict input sanitization.
The maintainers of LangChainGo have acted quickly to secure the project. A patch has introduced new security features to prevent template injection. According to CERT/CC, “A new RenderTemplateFS function has been added, which supports secure file template referencing, on top of blocking filesystem access by default.”
Developers are strongly urged to update to the latest version of LangChainGo immediately. Those unable to upgrade should limit exposure by restricting user input to trusted sources and monitoring for suspicious prompt activity.
- AI’s Dark Side: Hackers Harnessing ChatGPT and LLMs for Malicious Attacks
- Black Basta’s Evolving Tactics and the Rising Role of LLMs in Cyber Attack
- Path Traversal at Scale: Study Uncovers 1,756 Vulnerable GitHub Projects and LLM Contamination
- Critical Flaws in AI Browse Agents: Exposed to Credential Theft and Hijacking
