The signature lab of the course. You pin a vulnerable LangChain version in a clean virtualenv and reproduce CVE-2025-65106 end-to-end. Every interviewer who hears you took ADV-102 will ask you about this module.
Reading
- The CVE-2025-65106 public advisory (NVD or GitHub Security Advisories link in cohort archive).
- LangChain upstream issue thread for CVE-2025-65106 (link in cohort archive).
- Stuttard and Pinto, WAHH, the SSTI-to-RCE escalation pattern in Ch 9.
- AI-101 Module on prompt-template safety (cohort archive).
Lecture
Roughly three hours across two sessions. Key arc:
- CVE-2025-65106 in one slide: CVE identifier, CVSS score, affected versions, patched version, attack surface.
- The vulnerable LangChain code path. Walk the source on the projector.
- The reproduction harness. What lives in the cohort-shared lab-4 directory.
- The pinned virtualenv discipline. Why a fresh install in a global Python kills the lab.
- What clean reproduction looks like. The artefact graders will rebuild.
Lab pack
Lab Pack 4 reproduces CVE-2025-65106 end-to-end. See Lab Pack 4.
Tools you will use
- A clean Python 3.11+ virtualenv with the cohort-pinned vulnerable LangChain.
- The cohort-shared reproduction harness from
labs/lab-4/. - Optional: a live OpenAI or Anthropic SDK key if you want the live-model variant.
OWASP LLM and ASI anchor
CVE-2025-65106 is OWASP LLM01 (Prompt Injection) in the template-engine sub-class. The capstone report's OWASP mapping section starts here and gets refined through Modules 5 to 8.
Reflection prompts
- What is the exact line of vulnerable LangChain code where Jinja2 fires?
- What does the affected-version range look like? Are minor versions in or out?
- What is the patched-version string? What is the smallest upgrade that closes the surface?
What is next
Module 5 flips the lens. Now that you have the reproduction, you read the upstream patch and see what the LangChain maintainers changed.