CVE-2025-64104 is a SQL injection vulnerability identified in the LangGraph SQLite CheckpointSaver component of the langchain-ai project. LangGraph uses SQLite databases (both synchronous and asynchronous via aiosqlite) to persist checkpoint data. Prior to version 2.0.11, the implementation constructs SQL queries through direct string concatenation without proper parameterization or escaping of user-supplied input. This improper neutralization of special elements (CWE-89) allows an attacker with local access and limited privileges to inject arbitrary SQL commands. The injected SQL can be used to bypass access controls, potentially exposing or modifying sensitive data stored in the SQLite database. The vulnerability affects all versions before 2.0.11 and does not require user interaction, but does require some level of local privilege (AV:L, PR:L). The CVSS v3.1 score of 7.3 reflects a high severity due to the high confidentiality impact, limited integrity impact, and no availability impact. The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. No known exploits have been reported in the wild as of the publication date (October 29, 2025). The fix involves proper parameterization of SQL queries to prevent injection attacks. This vulnerability is particularly relevant for organizations using LangGraph in AI workflows that rely on SQLite for checkpoint persistence.

For European organizations, this vulnerability poses a significant risk to the confidentiality of data managed by LangGraph applications, especially those that handle sensitive AI model checkpoints or related metadata. Successful exploitation could allow attackers to bypass access controls and extract or manipulate confidential information stored in SQLite databases. This can lead to intellectual property theft, leakage of proprietary AI training data, or unauthorized modification of checkpoint states, potentially disrupting AI workflows. Given that the vulnerability requires local access with limited privileges, insider threats or compromised internal accounts pose a realistic attack vector. The lack of availability impact means systems remain operational, but data confidentiality is at risk. Organizations in sectors with high AI adoption such as finance, healthcare, and research institutions in Europe could face reputational damage and regulatory consequences under GDPR if sensitive data is exposed.

1. Immediately upgrade all LangGraph deployments to version 2.0.11 or later where the vulnerability is fixed. 2. Audit all applications using LangGraph SQLite stores to identify any instances of vulnerable versions. 3. Restrict local access to systems running LangGraph to trusted and authenticated users only, minimizing the risk of privilege abuse. 4. Implement strict access controls and monitoring on SQLite database files to detect unauthorized access or tampering. 5. Conduct code reviews and penetration testing focused on SQL injection vectors in custom integrations with LangGraph. 6. Employ runtime application self-protection (RASP) or database activity monitoring tools to detect anomalous SQL queries. 7. Educate developers and administrators about secure coding practices, emphasizing parameterized queries and input validation. 8. Maintain an incident response plan to quickly address any suspected exploitation attempts.