CVE-2025-64439
📋 TL;DR
LangGraph SQLite Checkpoint versions 2.1.2 and below contain a Remote Code Execution vulnerability in the JsonPlusSerializer. When illegal Unicode surrogate values cause msgpack serialization to fail, the system falls back to insecure JSON deserialization, allowing attackers to execute arbitrary code. This affects all systems using the vulnerable LangGraph checkpointing library.
💻 Affected Systems
- LangGraph SQLite Checkpoint
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.
Likely Case
Remote code execution leading to data theft, service disruption, or unauthorized system access.
If Mitigated
Limited impact if proper input validation and network segmentation are in place, but still significant risk.
🎯 Exploit Status
Exploitation requires triggering the fallback to JSON mode with malicious payloads, which appears straightforward based on the vulnerability description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.0
Vendor Advisory: https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5
Restart Required: Yes
Instructions:
1. Update LangGraph checkpoint library to version 3.0.0 or higher. 2. Run: pip install 'langgraph-checkpoint>=3.0.0'. 3. Restart all services using the library. 4. Test functionality to ensure compatibility.
🔧 Temporary Workarounds
Disable JSON fallback mode
allConfigure serializer to not fall back to JSON mode when msgpack fails
Configure JsonPlusSerializer with strict_mode=True to prevent fallback
Input validation
allImplement strict input validation to prevent illegal Unicode surrogate values
Implement custom validation before data reaches serializer
🧯 If You Can't Patch
- Implement strict network controls to limit access to vulnerable systems
- Deploy application-level firewalls to filter malicious payloads targeting the serializer
🔍 How to Verify
Check if Vulnerable:
Check installed version: pip show langgraph-checkpoint | grep VersionCheck Version:
pip show langgraph-checkpoint | grep VersionVerify Fix Applied:
Confirm version is 3.0.0 or higher and test that illegal Unicode inputs no longer trigger JSON fallback📡 Detection & Monitoring
Log Indicators:
- Error logs showing msgpack serialization failures
- Unusual process executions following serialization errors
- Stack traces involving JsonPlusSerializer
Network Indicators:
- Unusual outbound connections from checkpointing services
- Payloads containing Unicode surrogate values
SIEM Query:
source="application.logs" AND ("msgpack serialization failed" OR "JsonPlusSerializer" OR "Unicode surrogate")🔗 References
- https://github.com/langchain-ai/langgraph/blob/c5744f583b11745cd406f3059903e17bbcdcc8ac/libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py
- https://github.com/langchain-ai/langgraph/commit/c5744f583b11745cd406f3059903e17bbcdcc8ac
- https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D3.0.0
- https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5
