A significant security flaw has been identified in LangChainGo, the Go-based version of the popular language model framework. This vulnerability, tracked as CVE-2025-9556, allows unauthenticated attackers to perform arbitrary file reads by using specially crafted prompt templates. Essentially, a malicious actor can exploit this flaw to view sensitive server files without needing direct access to the system, compromising data confidentiality and undermining the trust of LLM-based systems. The vulnerability is especially dangerous in shared deployments because an attacker only needs access to a prompt submission interface to exploit it.
This flaw is a type of Server-Side Template Injection (SSTI) that exploits the Gonja template engine, a Go port of Python’s Jinja2. The Gonja engine, by design, supports directives like {% include %} and {% from %}, which are used for creating reusable templates. However, when these directives are used with untrusted user input, they can be manipulated to interact with the filesystem in dangerous ways. By submitting a payload that includes a malicious path, an attacker can trick LangChainGo into loading and returning the contents of system files, such as /etc/passwd.
An attacker can exploit this vulnerability by submitting a crafted prompt that forces the template engine to load and return the contents of a specified file. For instance, a simple payload like {% include ‘/etc/passwd’ %} is enough to expose the contents of that file. This exploit is made even more powerful by Jinja2’s advanced syntax, which allows for nested statements and custom macros. These features can be used to navigate directory structures or perform multiple file reads within a single injection string, making it simple for remote attackers to gain a foothold.
The vulnerability poses a serious risk to data confidentiality. By harvesting sensitive files like SSH keys, environment files, and API credentials, attackers can potentially elevate their privileges, move laterally within the network, or steal intellectual property. This risk is amplified in multi-tenant environments, where a single malicious user could access another tenant’s files and resources. The ease of exploitation, requiring only access to the prompt submission interface, makes this a critical concern for anyone running a LangChainGo-powered application.
To address this critical issue, developers have released a patch that introduces a new, secure function called RenderTemplateFS(). This function strictly enforces a whitelist of permissible template paths, effectively disabling arbitrary filesystem access by default. The update also includes hardened template parsing routines that sanitize or reject any prompt containing dangerous Jinja2 file-inclusion directives. All LangChainGo operators are advised to immediately upgrade to version 0.18.2 or later and to audit their code. They should replace any custom template instantiations using the old NewTemplate() API with the new, secure NewSecureTemplate() API to mitigate the risk and protect their systems.
Reference:
