CVE-2025-64439 is a deserialization of untrusted data vulnerability (CWE-502) found in the langgraph product of langchain-ai, specifically in versions prior to 3.0.0. LangGraph SQLite CheckpointSaver uses a serialization protocol called JsonPlusSerializer, which defaults to msgpack serialization for checkpointing data. However, when msgpack serialization fails due to illegal Unicode surrogate values, the serializer falls back to using a JSON serialization mode that is vulnerable. This fallback mode does not safely handle deserialization of untrusted data, allowing an attacker to craft malicious payloads that, when deserialized, lead to remote code execution (RCE). The vulnerability requires low privileges and partial authentication but does not require user interaction, making it easier to exploit in automated or semi-automated attack scenarios. The issue was addressed in version 3.0.0 of the checkpointer library by removing the unsafe fallback to JSON serialization. The vulnerability has a CVSS 4.0 score of 7.4, reflecting its high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity. No known exploits are currently reported in the wild, but the potential for severe impact exists given the nature of RCE vulnerabilities in software development and AI tooling environments.

For European organizations, this vulnerability poses a significant risk, especially for those relying on langgraph for AI model checkpointing, data science workflows, or software development processes. Successful exploitation could lead to unauthorized remote code execution, allowing attackers to execute arbitrary commands, potentially leading to data breaches, system compromise, or disruption of critical AI services. This could impact confidentiality by exposing sensitive data, integrity by altering checkpoint data or models, and availability by causing denial of service or system instability. Organizations in sectors such as finance, healthcare, research, and technology, which increasingly use AI frameworks, are particularly vulnerable. The requirement for low privileges and no user interaction increases the likelihood of exploitation in automated environments. Additionally, the fallback mechanism triggered by malformed Unicode data could be exploited via crafted inputs, increasing the attack surface. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur.

The primary mitigation is to upgrade langgraph and the associated checkpointer library to version 3.0.0 or later, where the unsafe JSON fallback serialization has been removed. Organizations should audit their use of serialization and deserialization processes within AI workflows to ensure no untrusted data is processed without validation. Implement strict input validation and sanitization to prevent illegal Unicode surrogate values from triggering fallback serialization. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to monitor for suspicious deserialization activities. Restrict access to systems running langgraph to trusted users and networks, and enforce the principle of least privilege to limit the impact of potential exploitation. Regularly review and update dependency management to promptly apply security patches. Finally, conduct security awareness training for developers and system administrators about the risks of deserialization vulnerabilities and secure coding practices.