Classroom Glossary Public page

Week 4: CVE-2025-65106, the Specific Instance

The signature lab of the course. You pin a vulnerable LangChain version in a clean virtualenv and reproduce CVE-2025-65106 end-to-end. Every interviewer who hears you took ADV-102 will ask you about this module.


Reading

  • The CVE-2025-65106 public advisory (NVD or GitHub Security Advisories link in cohort archive).
  • LangChain upstream issue thread for CVE-2025-65106 (link in cohort archive).
  • Stuttard and Pinto, WAHH, the SSTI-to-RCE escalation pattern in Ch 9.
  • AI-101 Module on prompt-template safety (cohort archive).

Lecture

Roughly three hours across two sessions. Key arc:

  • CVE-2025-65106 in one slide: CVE identifier, CVSS score, affected versions, patched version, attack surface.
  • The vulnerable LangChain code path. Walk the source on the projector.
  • The reproduction harness. What lives in the cohort-shared lab-4 directory.
  • The pinned virtualenv discipline. Why a fresh install in a global Python kills the lab.
  • What clean reproduction looks like. The artefact graders will rebuild.

Lab pack

Lab Pack 4 reproduces CVE-2025-65106 end-to-end. See Lab Pack 4.

Tools you will use

  • A clean Python 3.11+ virtualenv with the cohort-pinned vulnerable LangChain.
  • The cohort-shared reproduction harness from labs/lab-4/.
  • Optional: a live OpenAI or Anthropic SDK key if you want the live-model variant.

OWASP LLM and ASI anchor

CVE-2025-65106 is OWASP LLM01 (Prompt Injection) in the template-engine sub-class. The capstone report's OWASP mapping section starts here and gets refined through Modules 5 to 8.

Reflection prompts

  1. What is the exact line of vulnerable LangChain code where Jinja2 fires?
  2. What does the affected-version range look like? Are minor versions in or out?
  3. What is the patched-version string? What is the smallest upgrade that closes the surface?

What is next

Module 5 flips the lens. Now that you have the reproduction, you read the upstream patch and see what the LangChain maintainers changed.