ATR-2026-00554highPrompt Injectionexperimental
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
GitHub Security Advisory GHSA-6qv9-48xg-fc7f (CVE-2025-65106). LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
Severity
high
Category
Prompt Injection
Scan Target
runtime
Author
ATR Community (GHSA sync)
Response Actions
alert
References
OWASP Agentic
ASI01:2026 - Agent Goal Hijack
OWASP LLM
LLM01:2025 - Prompt Injection
MITRE ATLAS
AML.T0051 - LLM Prompt Injection
Detection Conditions
Combinator: any- 01Server-side template injection via Python dunder/builtins traversalfield: contentop: regex
Attack Examples (Rule Triggers)
{{config.__class__.__init__.__globals__['os'].environ}}{{ ''.__class__.__mro__[1].__subclasses__() }}{{user.session.__dict__}}
Real-world attack payloads, sanitized and versioned alongside the rule as regression tests — so a future revision can't silently stop catching them.
Benign Examples (Rule Doesn't Trigger)
- benign template 1
{{ user.name }} - benign template 2
{{order.total}} items - benign template 3
Hello {first_name} - benign template 4
import os
Full YAML Definition
Edit on GitHub →title: LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
id: ATR-2026-00554
rule_version: 1
status: experimental
description: 'GitHub Security Advisory GHSA-6qv9-48xg-fc7f (CVE-2025-65106). LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
'
author: ATR Community (GHSA sync)
date: 2026/06/01
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
cve:
- CVE-2025-65106
cwe:
- CWE-1336
ghsa:
- GHSA-6qv9-48xg-fc7f
external:
- https://github.com/langchain-ai/langchain/security/advisories/GHSA-6qv9-48xg-fc7f
- https://github.com/langchain-ai/langchain/commit/c4b6ba254e1a49ed91f2e268e6484011c540542a
- https://github.com/langchain-ai/langchain/commit/fa7789d6c21222b85211755d822ef698d3b34e00
- https://nvd.nist.gov/vuln/detail/CVE-2025-65106
- https://github.com/advisories/GHSA-6qv9-48xg-fc7f
owasp_llm:
- LLM01:2025 - Prompt Injection
owasp_agentic:
- ASI01:2026 - Agent Goal Hijack
mitre_atlas:
- AML.T0051 - LLM Prompt Injection
metadata_provenance:
ghsa: ghsa-sync
cve: ghsa-sync
cwe: ghsa-sync
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
strength: primary
- article: "9"
context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
strength: secondary
- article: "14"
context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) would bypass or undermine that oversight."
strength: secondary
nist_ai_rmf:
- subcategory: "MS.2.7"
context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
strength: primary
- subcategory: "MG.2.3"
context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) so the risk can be treated."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates)."
strength: primary
- clause: "6.2"
context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates) is such a treatment."
strength: secondary
tags:
category: prompt-injection
scan_target: runtime
confidence: high
agent_source:
type: llm_io
framework:
- any
provider:
- any
detection:
condition: any
false_positives: []
conditions:
- field: content
operator: regex
value: (?i)\{\{?[^{}]*\b__(?:class|globals|import|builtins|subclasses|init|mro|base|dict|reduce|getattribute|subclasshook)__[^{}]*\}?\}
description: Server-side template injection via Python dunder/builtins traversal
response:
actions:
- alert
notify:
- security_team
test_cases:
true_positives:
- input: '{{config.__class__.__init__.__globals__[''os''].environ}}'
expected: triggered
description: SSTI dunder payload 1
- input: '{{ ''''.__class__.__mro__[1].__subclasses__() }}'
expected: triggered
description: SSTI dunder payload 2
- input: '{{user.session.__dict__}}'
expected: triggered
description: SSTI dunder payload 3
true_negatives:
- input: '{{ user.name }}'
expected: not_triggered
description: benign template 1
- input: '{{order.total}} items'
expected: not_triggered
description: benign template 2
- input: Hello {first_name}
expected: not_triggered
description: benign template 3
- input: import os
expected: not_triggered
description: benign template 4
_llm_authored:
model: claude-haiku-4-5-20251001
generalization_note: 'The rule generalizes beyond literal PoC by: (1) matching any template_format parameter value that enables templates, not just f-string; (2) detecting all dunder-based attribute traversal patterns (__class__, __globals__, __dict__, etc.) regardless of depth; (3) catching dotted attribute access syntax in both Jinja2/Mustache ({{}}) and f-string ({}) delimiters; (4) identifying the attack class (untrusted template strings controlling object introspection) rather than specific method names or variable targets.'
note: Generation-time LLM authoring; verified by deterministic gate. Runtime detection is pure regex. Human review required before merge.