Skip to content
[[1]](#ref-SCF:CP-RMM:Web) [[2]](#ref-SCF:CP-RMM:PDF:v2025-2) [[3]](#ref-MITRE:ATTACK:WEB) [[4]](#ref-MITRE:CWE:WEB) [[5]](#ref-MITRE:CAPEC:WEB) [[6]](#ref-MITRE:ATLAS:WEB) [[7]](#ref-MITRE:ATLAS:Matrix:WEB) [[8]](#ref-OWASP:TOP10:WEB) [[9]](#ref-OWASP:TOP10:LLM:WEB) [[10]](#ref-OWASP:TOP10:Agentic:2026:WEB) [[11]](#ref-NIST:AI:100-2e2023) [[12]](#ref-MITRE:CWE502:Deserialization) [[13]](#ref-Cyata:LangGrinch:WEB) [[14]](#ref-CybersecurityNews:LangGrinch:WEB) [[15]](#ref-TheHackerNews:LangGrinch:WEB) [[16]](#ref-WebProNews:LangGrinch:WEB) [[17]](#ref-GitHubAdvisoryDatabase:LangGrinch:CVE-2025-68664) [[18]](#ref-GitHubAdvisoryDatabase:LangGrinch:CVE-2025-68665) [[19]](#ref-NVD:LangGrinch:CVE-2025-68664) [[20]](#ref-NVD:LangGrinch:CVE-2025-68665) [[21]](#ref-NIST:AI:100-2e2025)


References

[1] “Cybersecurity & Data Privacy Risk Management Model (C).” https://securecontrolsframework.com/free/risk-management-model/.

[2] “Cybersecurity & Data Privacy Risk Management Model (CP-RMM) Overview.” https://securecontrolsframework.com/content/SCF-Risk-Management-Model.pdf, 2025.

[3] “MITRE ATT&CK.” https://attack.mitre.org/.

[4] “CWE - Common Weakness Enumeration.” https://cwe.mitre.org/.

[5] “CAPEC - Common Attack Pattern Enumeration and Classification (CAPEC™).” https://capec.mitre.org/index.html.

[6] “MITRE ATLAS™.” https://atlas.mitre.org/.

[7] “ATLAS Matrix MITRE ATLAS™.” https://atlas.mitre.org/matrices/ATLAS.

[8] “OWASP Top Ten Web Application Security Risks OWASP Foundation.” https://owasp.org/www-project-top-ten/.

[9] “OWASP Top 10 for Large Language Model Applications OWASP Foundation.” https://owasp.org/www-project-top-10-for-large-language-model-applications/.

[10] “OWASP Top 10 for Agentic Applications for 2026,” OWASP Gen AI Security Project. https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/.

[11] A. Vassilev, A. Oprea, A. Fordyce, and H. Anderson, “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations,” National Institute of Standards and Technology, NIST Artificial Intelligence (AI) 100-2 E2023, Jan. 2024. doi: 10.6028/NIST.AI.100-2e2023.

[12] “CWE - CWE-502: Deserialization of Untrusted Data (4.19).” https://cwe.mitre.org/data/definitions/502.html.

[13] P. Yarden, “All I Want for Christmas is Your Secrets: LangGrinch hits LangChain Core (CVE-2025-68664),” Cyata The Control Plane for Agentic Identity. https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/, Dec. 2025.

[14] G. Baran, “Critical Langchain Vulnerability Let attackers Exfiltrate Sensitive Secrets from AI systems,” Cyber Security News. https://cybersecuritynews.com/langchain-vulnerability/, Dec. 2025.

[15] R. Lakshmanan, “Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection,” The Hacker News. https://thehackernews.com/2025/12/critical-langchain-core-vulnerability.html.

[16] E. Hastings, “LangGrinch Vulnerability Exposes LangChain AI to Secret Theft Risks,” WebProNews. https://www.webpronews.com/langgrinch-vulnerability-exposes-langchain-ai-to-secret-theft-risks/, Dec. 2025.

[17] “CVE-2025-68664 - GitHub Advisory Database,” GitHub. https://github.com/advisories/GHSA-c67j-w6g6-q2cm.

[18] “CVE-2025-68665 - GitHub Advisory Database,” GitHub. https://github.com/advisories/GHSA-r399-636x-v7f6.

[19] “NVD - CVE-2025-68664.” https://nvd.nist.gov/vuln/detail/CVE-2025-68664.

[20] “NVD - CVE-2025-68665.” https://nvd.nist.gov/vuln/detail/CVE-2025-68665.

[21] A. Vassilev, A. Oprea, A. Fordyce, H. Anderson, X. Davies, and M. Hamin, “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations,” National Institute of Standards and Technology, NIST Artificial Intelligence (AI) 100-2 E2025, Mar. 2025. doi: 10.6028/NIST.AI.100-2e2025.