CVE-2025-64104 identifies a SQL injection vulnerability in the LangGraph SQLite Checkpoint component of the langchain-ai project, specifically in versions before 2.0.11. LangGraph uses SQLite databases for checkpoint saving, supporting both synchronous and asynchronous operations via aiosqlite. The vulnerability stems from unsafe coding practices where SQL queries are constructed through direct string concatenation without proper parameterization or escaping of user-supplied input. This improper neutralization of special elements (CWE-89) allows an attacker with limited privileges (local access) to inject arbitrary SQL commands. The injected SQL can manipulate the database queries to bypass access controls and potentially extract sensitive information, compromising confidentiality. The vulnerability does not require user interaction but does require some level of authenticated access, limiting remote exploitation. The CVSS v3.1 score is 7.3 (high), reflecting the significant confidentiality impact and the complexity of exploitation. No known exploits are currently reported in the wild. The issue was addressed in langgraph version 2.0.11 by implementing proper parameterized queries to prevent injection.

For European organizations, this vulnerability poses a significant risk to the confidentiality of data managed by applications using vulnerable versions of langgraph. Attackers with local or limited access could exploit the SQL injection to bypass access controls and extract sensitive information from SQLite databases. This could lead to data breaches involving personal data, intellectual property, or other confidential information, potentially violating GDPR and other data protection regulations. While the vulnerability does not directly affect system availability or integrity to a large extent, the confidentiality breach alone can have severe reputational and legal consequences. Organizations relying on langgraph for AI or data processing workflows should be aware that exploitation requires some level of access, so insider threats or compromised accounts are primary concerns. The impact is heightened in sectors with stringent data privacy requirements such as finance, healthcare, and government within Europe.

European organizations should immediately upgrade langgraph to version 2.0.11 or later, where the vulnerability is fixed by proper parameterization of SQL queries. Until upgrading is possible, restrict access to systems running vulnerable versions to trusted users only and monitor for unusual database query activity. Implement strict access controls and auditing on systems using langgraph to detect potential misuse. Employ runtime application self-protection (RASP) or database activity monitoring tools to detect and block suspicious SQL commands. Conduct code reviews and penetration testing focused on SQL injection vectors in custom integrations with langgraph. Additionally, ensure that database user permissions are minimized to limit the impact of any injection attempts. Regularly update and patch all dependencies to reduce exposure to similar vulnerabilities.