CVE-2025-67644 is a SQL injection vulnerability classified under CWE-89, affecting langchain-ai's langgraph product versions prior to 3.0.1. The vulnerability arises from the CheckpointSaver component, which uses SQLite databases both synchronously and asynchronously via aiosqlite. Specifically, the _metadata_predicate() function constructs SQL queries by directly interpolating metadata filter keys into Python f-strings without any sanitization or validation. Since filter keys, not just values, are user-controllable in checkpoint search operations, an attacker can craft malicious filter keys that alter the structure of SQL queries. This can lead to unauthorized data access or leakage, impacting confidentiality and integrity. The vulnerability requires low attack complexity and only low privileges, with no user interaction needed, but local access to the application is necessary (AV:L). The scope is considered changed (S:C) because the injection can affect multiple database queries. The CVSS 3.1 base score is 7.3 (high), reflecting the significant confidentiality impact and moderate integrity impact, but no availability impact. The issue was publicly disclosed on December 10, 2025, and fixed in version 3.0.1. No known exploits have been reported in the wild yet, but the vulnerability poses a serious risk to applications relying on langgraph for checkpoint storage and search functionality.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive data stored in SQLite databases managed by langgraph, especially in AI or data processing applications that utilize the CheckpointSaver feature. Attackers with local access or the ability to influence metadata filter keys can exploit this flaw to extract confidential information or manipulate query results, undermining data integrity. This is particularly concerning for sectors handling sensitive personal data, such as finance, healthcare, and government agencies, which are subject to strict data protection regulations like GDPR. The compromise of data confidentiality could result in regulatory penalties, reputational damage, and operational disruptions. Additionally, since langgraph is used in AI workflows, the integrity of AI model checkpoints and metadata could be affected, potentially impacting AI decision-making processes. The lack of known exploits currently provides a window for mitigation, but the ease of exploitation and high impact necessitate urgent attention.

European organizations should immediately upgrade langgraph to version 3.0.1 or later, where the vulnerability is fixed. Until upgrading is possible, implement strict input validation and sanitization on all metadata filter keys used in checkpoint search operations to prevent injection of malicious SQL code. Avoid accepting untrusted or user-supplied filter keys without validation. Employ application-layer security controls such as parameterized queries or prepared statements instead of string interpolation for SQL query construction. Conduct thorough code reviews and security testing focusing on all points where metadata filters are processed. Monitor application logs for unusual query patterns or errors indicative of attempted SQL injection. Restrict local access to systems running langgraph to trusted users only, minimizing the attack surface. Finally, integrate vulnerability scanning and penetration testing into the development lifecycle to detect similar injection flaws proactively.