Serialization in LLM Frameworks

LLM orchestration frameworks face a persistent challenge: chains, agents, memory stores, and tool configurations need to be saved, transmitted, and restored. A conversation chain needs to remember its history across requests. A workflow definition needs to be stored and reloaded. Agent configurations need to be shared between services. Serialization is the mechanism that enables all of this.

The security problem with serialization in LLM frameworks is the same as with serialization in any framework: if the serialized format is not properly validated on deserialization, and if an attacker can influence the content of serialized objects (through a database write, an API call, or by controlling a document that gets processed), they can inject keys and values that alter the framework's behaviour in unintended ways.

The LLM-specific twist: Traditional deserialization attacks (Java, PHP, Python pickle) aim for code execution. LLM framework serialization injection has additional attack goals specific to AI systems: manipulating the system prompt, redirecting API calls to attacker-controlled endpoints, exfiltrating secrets embedded in the chain configuration, and poisoning the memory state that informs future LLM responses.

The LangChain Serialization Format

LangChain uses a JSON-based serialization format with a special key structure. Serialized objects include a lc key that controls how the object is deserialized, a type key that specifies the object class, and a set of payload keys containing the object's data. When LangChain loads a serialized chain or memory object, it reads the lc key to determine what class to instantiate and the payload keys to initialise it.

The security concern is that the deserialization path trusts the lc and type keys in the serialized JSON. An attacker who can modify a serialized LangChain object β€” stored in a database, passed through an API, or constructed from user-controlled input β€” can inject keys that alter which class is instantiated and with what parameters.

// Legitimate serialized LangChain memory object { "lc": 1, "type": "constructor", "id": ["langchain", "memory", "ConversationBufferMemory"], "kwargs": { "chat_memory": { ... legitimate messages ... } } } // Injected: additional kwargs that alter behaviour { "lc": 1, "type": "constructor", "id": ["langchain", "memory", "ConversationBufferMemory"], "kwargs": { "chat_memory": { ... messages ... }, "human_prefix": "SYSTEM" // elevates human messages to system authority } }

Injection Mechanics

Serialization injection in LLM frameworks targets any point in the application where serialized state is loaded from an insufficiently trusted source. The primary attack vectors are:

  • Database-stored chain configurations: Applications that store LangChain configurations in databases and allow users to create or modify those configurations are directly exposed. A user who can write arbitrary JSON to the chain configuration field can inject keys that alter the loaded chain's behaviour.
  • API-transmitted chain state: Applications that pass serialized chain state between microservices via API calls are exposed if an attacker can intercept or manipulate those calls. MITM attacks, confused deputy attacks via server-side request forgery, or insecure direct object reference vulnerabilities can all provide the ability to inject into API-transmitted state.
  • User-provided chain definitions: Applications that allow users to define their own LangChain pipelines (a common feature in no-code AI builder platforms) are inherently exposed β€” the user is the attacker in this model.
  • Import/export functionality: Chain export/import features that serialize to JSON and then re-import from user-uploaded files create a direct injection path. Any chain import feature must validate the deserialized object strictly before instantiating it.

Secret Exfiltration via Injected Keys

LangChain chain configurations frequently embed API keys β€” the LLM provider key, vector database credentials, tool API keys β€” directly in the serialized form. This is convenient but creates a risk: any injection that causes the chain to serialize its configuration back to an attacker-visible output will exfiltrate those embedded keys.

A more targeted exfiltration approach: inject a key that replaces the LLM's API base URL with an attacker-controlled endpoint. When the chain makes API calls to the LLM, it instead sends requests to the attacker's server β€” requests that include the API key in the Authorization header. The legitimate API responses are not received, but the attacker now has the API key.

Code Execution Risk

The most severe risk in LLM framework serialization is code execution. LangChain's serialization format can represent Python callable objects β€” tools, custom chains, callbacks β€” as serialized data. If the deserialization path instantiates classes based on attacker-controlled type identifiers without a strict allow-list, an attacker can cause arbitrary Python classes to be instantiated with arbitrary constructor arguments.

This is structurally similar to the Java and Python deserialization code execution vulnerabilities that have been well-documented in traditional frameworks. The specific class and gadget chains differ for LangChain, but the root cause β€” deserializing type identifiers from untrusted data β€” is identical. LangChain's load_chain and related functions have been iteratively hardened with allow-lists and warnings, but applications built on older versions or that use lower-level deserialization APIs remain at risk.

Mitigations

  1. Never deserialize LangChain objects from untrusted sources: The most fundamental control. If a user can provide a serialized chain configuration, treat it as untrusted code execution. Do not load it with the standard deserialization path.
  2. Use schema validation before deserialization: Validate serialized objects against a strict JSON Schema before passing them to LangChain's deserialization. Reject any object with unexpected keys, unexpected type identifiers, or non-allowlisted class paths.
  3. Do not embed API keys in serialized chain configurations: Pass API keys through environment variables or a secrets manager. A serialized chain configuration that leaks should not also leak API keys. Keep serialized state and credentials in separate storage with separate access controls.
  4. Pin LangChain versions and audit changelogs: Security fixes in LangChain's serialization code are released regularly. Running outdated versions means running with known-fixed vulnerabilities. Treat LangChain updates with the same urgency as other security patches.
  5. Isolate chain execution environments: Run LangChain chains in isolated environments (containers, sandboxed processes) with minimal filesystem access and network egress restrictions. Even if deserialization achieves code execution, the blast radius is contained to the isolated environment.
  6. Log all chain configuration loads and flag anomalous class instantiation: Instrument your LangChain application to log every class instantiated during deserialization. Alert on classes outside your expected application class set β€” this is an indicator of injection exploitation in progress.

LLM framework security is at approximately the same maturity level as web framework security was in 2010. The same vulnerability classes that affected Java and PHP frameworks β€” deserialization, injection, overprivileged internals β€” are appearing in LLM frameworks in forms that are specific to AI systems but structurally familiar. The lessons from a decade of web framework hardening apply directly.