{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/949137#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nLangChainGo, the Go implementation of LangChain, a large language model (LLM) application building framework, has been discovered to contain an arbitrary file read vulnerability. The vulnerability, tracked as CVE-2025-9556, allows for arbitrary file read through the Gonja template engine with Jinja2 syntax. Attackers can exploit this by injecting malicious prompt content to access sensitive files, leading to a server-side template injection (SSTI) attack. \r\n\r\n### Description\r\n[LangChainGo](https://github.com/tmc/langchaingo) is the Go Programming Language port/fork of [LangChain](https://github.com/langchain-ai/langchain), an open-source orchestration framework for the development of applications that leverage LLMs. LangChainGo uses [Gonja](https://pkg.go.dev/github.com/nikolalohinski/gonja) for syntax parsing and creating dynamic and reusable prompt templates. Gonja is the Go implementation of [Jinja2](https://jinja.palletsprojects.com/en/stable/), a templating engine. Gonja is largely compatable with the the original Python Jinja2 implementation, and supports Jinja2 syntax.\r\n\r\nAs Gonja supports Jinja2 syntax, an attacker could leverage directives such as `{% include %}`, `{% from %}`,  or `{% extends %}` for malicious purposes within LangChainGo.  While these directives were meant to be used for building reusable templates, they can also allow an external file to be pulled and read from the server’s filesystem. An attacker could use this to inject malicious template code containing advanced templating directives to read sensitive files such as `/etc/password`. This results in a server-side template injection vulnerability that can expose sensitive information. This vulnerability is tracked as CVE-2025-9556. \r\n\r\n### Impact\r\nThis vulnerability compromises the confidentiality of the system by enabling arbitrary file read on a server running LangChainGo. By injecting malicious template syntax, an attacker could access sensitive information stored on the victim device. This information can lead to further comprise of the system. In LLM-based chatbot environments that use LangChainGo, attackers would only need access to the prompt to maliciously craft and exploit the prompt. \r\n\r\n### Solution\r\nThe maintainer of LangChainGo has [released](https://github.com/tmc/langchaingo/commit/efaf02537b74c4474a18e046ed14a6007f55f539) with new security features to prevent template injection. A new RenderTemplateFS function has been added, which supports secure file template referencing, on top of blocking filesystem access by default. Users of LangChainGo should update to the latest version of the software in order to be protected. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, bestlzk. This document was written by Ayushi Kriplani and Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/949137"},{"url":"https://github.com/tmc/langchaingo/security/advisories/GHSA-mgcj-g55g-rf6h","summary":"https://github.com/tmc/langchaingo/security/advisories/GHSA-mgcj-g55g-rf6h"},{"url":"https://github.com/tmc/langchaingo/pull/1348","summary":"https://github.com/tmc/langchaingo/pull/1348"}],"title":"Langchaingo supports jinja2 and gonja for syntax parsing, allowing for arbitrary file read","tracking":{"current_release_date":"2025-09-12T13:44:57+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#949137","initial_release_date":"2025-09-12 13:44:57.009331+00:00","revision_history":[{"date":"2025-09-12T13:44:57+00:00","number":"1.20250912134457.1","summary":"Released on 2025-09-12T13:44:57+00:00"}],"status":"final","version":"1.20250912134457.1"}},"vulnerabilities":[{"title":"Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.","notes":[{"category":"summary","text":"Langchaingo supports the use of jinja2 syntax when parsing prompts, which is in turn parsed using the gonja library v1.5.3.\r\nGonja supports include and extends syntax to read files, which leads to a server side template injection vulnerability within langchaingo, allowing an attacker to insert a statement into a prompt to read the \"etc/passwd\" file."}],"cve":"CVE-2025-9556","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#949137"}]}],"product_tree":{"branches":[]}}