Skip to content
ATR-2026-00554highPrompt Injectionexperimental

LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

GitHub Security Advisory GHSA-6qv9-48xg-fc7f (CVE-2025-65106). LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

Severity
high
Category
Prompt Injection
Scan Target
runtime
Author
ATR Community (GHSA sync)

Response Actions

alert

References

OWASP Agentic
ASI01:2026 - Agent Goal Hijack
OWASP LLM
LLM01:2025 - Prompt Injection
MITRE ATLAS
AML.T0051 - LLM Prompt Injection

Detection Conditions

Combinator: any
  1. 01
    Server-side template injection via Python dunder/builtins traversal
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. {{config.__class__.__init__.__globals__['os'].environ}}
  2. {{ ''.__class__.__mro__[1].__subclasses__() }}
  3. {{user.session.__dict__}}

Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.

Benign Examples (Rule Doesn't Trigger)

  1. benign template 1
    {{ user.name }}
  2. benign template 2
    {{order.total}} items
  3. benign template 3
    Hello {first_name}
  4. benign template 4
    import os

Full YAML Definition

Edit on GitHub →
title: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
id: ATR-2026-00554
rule_version: 1
status: experimental
description: 'GitHub Security Advisory GHSA-6qv9-48xg-fc7f (CVE-2025-65106). LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

  '
author: ATR Community (GHSA sync)
date: 2026/06/01
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
  cve:
  - CVE-2025-65106
  cwe:
  - CWE-1336
  ghsa:
  - GHSA-6qv9-48xg-fc7f
  external:
  - https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f
  - https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a
  - https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00
  - https://nvd.nist.gov/vuln/detail/CVE-2025-65106
  - https://github.com/advisories/GHSA-6qv9-48xg-fc7f
  owasp_llm:
    - LLM01:2025 - Prompt Injection
  owasp_agentic:
    - ASI01:2026 - Agent Goal Hijack
  mitre_atlas:
    - AML.T0051 - LLM Prompt Injection
metadata_provenance:
  ghsa: ghsa-sync
  cve: ghsa-sync
  cwe: ghsa-sync
compliance:
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
      strength: secondary
    - article: "14"
      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) would bypass or undermine that oversight."
      strength: secondary
  nist_ai_rmf:
    - subcategory: "MS.2.7"
      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
      strength: primary
    - subcategory: "MG.2.3"
      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) so the risk can be treated."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
      strength: primary
    - clause: "6.2"
      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) is such a treatment."
      strength: secondary
tags:
  category: prompt-injection
  scan_target: runtime
  confidence: high
agent_source:
  type: llm_io
  framework:
  - any
  provider:
  - any
detection:
  condition: any
  false_positives: []
  conditions:
  - field: content
    operator: regex
    value: (?i)\{\{?[^{}]*\b__(?:class|globals|import|builtins|subclasses|init|mro|base|dict|reduce|getattribute|subclasshook)__[^{}]*\}?\}
    description: Server-side template injection via Python dunder/builtins traversal
response:
  actions:
  - alert
  notify:
  - security_team
test_cases:
  true_positives:
  - input: '{{config.__class__.__init__.__globals__[''os''].environ}}'
    expected: triggered
    description: SSTI dunder payload 1
  - input: '{{ ''''.__class__.__mro__[1].__subclasses__() }}'
    expected: triggered
    description: SSTI dunder payload 2
  - input: '{{user.session.__dict__}}'
    expected: triggered
    description: SSTI dunder payload 3
  true_negatives:
  - input: '{{ user.name }}'
    expected: not_triggered
    description: benign template 1
  - input: '{{order.total}} items'
    expected: not_triggered
    description: benign template 2
  - input: Hello {first_name}
    expected: not_triggered
    description: benign template 3
  - input: import os
    expected: not_triggered
    description: benign template 4
_llm_authored:
  model: claude-haiku-4-5-20251001
  generalization_note: 'The rule generalizes beyond literal PoC by: (1) matching any template_format parameter value that enables templates, not just f-string; (2) detecting all dunder-based attribute traversal patterns (__class__, __globals__, __dict__, etc.) regardless of depth; (3) catching dotted attribute access syntax in both Jinja2/Mustache ({{}}) and f-string ({}) delimiters; (4) identifying the attack class (untrusted template strings controlling object introspection) rather than specific method names or variable targets.'
  note: Generation-time LLM authoring; verified by deterministic gate. Runtime detection is pure regex. Human review required before merge.

Revision History

Created
2026-06-01
Last modified
2026-07-15
View full commit history on GitHub →