AVE-2025-0101 — Serialization Confused Deputy

Serialization Confused Deputy

🔴 CRITICAL injection proven AVE-2025-0101

· aka: Serialization Injection, Control Plane Data Mixing, lc Key Injection

Summary

Framework serialization formats use marker keys (e.g., 'lc') to distinguish serialized objects from plain data. When user-controlled data containing these markers is serialized and deserialized, injected structures are treated as legitimate framework objects, enabling secret extraction and arbitrary class instantiation.

Blast Radius

Full environment variable exfiltration. Arbitrary class instantiation within trusted namespaces. Affects astream_events(v1), astream_log(), RunnableWithMessageHistory, InMemoryVectorStore, and all caching layers.

Prerequisites

Application uses framework serialization on data that includes user-controlled fields. Common in streaming, caching, and message history workflows.

Environment

Frameworks: LangChain, LangSmith
Multi-agent: No
Tools required: No
Memory required: No

Known Defences

Serialization Escaping — ? layer
Allowlist Enforcement — ? layer
secrets_from_env=False Default — ? layer

🔒 Full defence implementations available through the NAIL SDK.

AVE-2025-0026
AVE-2025-0028
AVE-2025-0019
CWE: CWE-502 (Deserialization of Untrusted Data), CWE-441 (Confused Deputy)

🛡️ NAIL Institute — AVE Database