A recently discovered flaw in LangChainGo, the Go implementation of the LangChain framework for large language models, permits attackers to read arbitrary files on a server by injecting malicious prompt templates.
Tracked as CVE-2025-9556, this vulnerability arises from the use of the Gonja template engine, which supports Jinja2 syntax and can be manipulated to perform unauthorized file reads.
| CVE ID | Original Release Date | Description |
| CVE-2025-9556 | 2025-09-12 | Arbitrary file read via malicious prompt templates in LangChainGo using Gonja engine |
Overview of the Vulnerability
LangChainGo is a Go port of the LangChain orchestration framework, designed to help developers build applications that leverage large language models.
It uses Gonja, a Go-based implementation of the Jinja2 templating engine, for parsing and rendering dynamic prompt templates.
Critically, Gonja retains Jinja2 directives such as {% include %}, {% from %}, and {% extends %}. These directives can be repurposed by an attacker to load and read files from the server’s filesystem.
Under normal use, these features enable the creation of modular and reusable templates. However, when user-controlled input is passed directly to the template engine, an attacker can inject template code that references critical system files, for example /etc/passwd.
The injected code is then executed on the server, leading to a server-side template injection (SSTI) that discloses sensitive data.
The arbitrary file read vulnerability undermines the confidentiality of systems running LangChainGo. Attackers only need access to the prompt input field to craft malicious templates that expose any file readable by the application.
In environments where LangChainGo is used to power chatbot interfaces or other LLM-based services, an attacker could exploit this flaw without needing any additional privileges.
Sensitive files such as configuration files, private keys, or user credentials may be exposed, potentially enabling further attacks like privilege escalation or lateral movement within the network, as per a report by KBCert.
The LangChainGo maintainer has released an update that adds the RenderTemplateFS function.
This new function isolates template rendering from direct filesystem access by default and provides a secure mechanism for including only approved files.
The update also blocks unauthorized file access at the template engine level. Users should upgrade to the latest LangChainGo release immediately to apply these security enhancements.
To update, run:
go get github.com/tmc/langchaingo@latestAfter upgrading, review any custom template code and ensure that template rendering uses RenderTemplateFS rather than the previous rendering functions.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
