LangChainGo template injection vulnerability enables arbitrary file access
Take action: Another URGENT advisory. If you're using LangChainGo, immediately upgrade to version 0.18.2 or later because the template engine allows attackers to send template injection in the chat prompt and read any file on your server. Isolating doesn't help much, your users are your potential attackers.
Learn More
LangChainGo, the Go implementation of the popular LangChain framework for building large language model applications, is reporting a critical security vulnerability that allows attackers to read arbitrary files.
The vulnerability is tracked as CVE-2025-9556 (CVSS score 9.8) a server-side template injection flaw. The vulnerability is caused by LangChainGo's use of the Gonja template engine, which is a Go port of Python's Jinja2 templating system. LangChainGo leverages Gonja for parsing and rendering dynamic prompt templates, taking advantage of its compatibility with Jinja2 syntax to create reusable and flexible prompt structures.
The core issue lies in Gonja's support for Jinja2 directives such as {% include %}, {% from %}, and {% extends %}, which were designed for legitimate template composition but can be weaponized for malicious file access.
Aor example, an attacker could inject a payload like {% include '/etc/passwd' %} into a prompt to access sensitive system files, or target configuration files, SSH keys, API credentials, or other proprietary data stored on the server.
The exploitation process requires only access to the prompt submission interface, so all users of LLM chat environments are potential attackers. Since LangChainGo processes these prompts through the Gonja template engine, malicious template syntax is executed with the same privileges as the application.
All LangChainGo versions prior to 0.18.2 are vulnerable to this arbitrary file read attack. The vulnerability affects any deployment that uses LangChainGo's template rendering functionality with user-controlled input, regardless of the underlying hosting environment or configuration.
LangChainGo maintainers have released version 0.18.2 which addresses this flaw. The update introduces a new RenderTemplateFS function that enforces strict security controls by implementing a whitelist of permissible template paths and disabling arbitrary filesystem access by default. The patched version also includes hardened template parsing routines that sanitize or reject prompts containing dangerous Jinja2 file-inclusion directives.
The update provides a new NewSecureTemplate API that replaces the vulnerable NewTemplate() function, ensuring that template instantiation follows secure practices.
Organizations should immediately upgrade to version 0.18.2 or later and audit their existing code to replace any usage of the deprecated template functions with the secure alternatives. For systems that cannot immediately upgrade, administrators should implement strict input validation to filter out Jinja2 template directives, restrict filesystem permissions for the LangChainGo process, and monitor for suspicious file access patterns in system logs.
