CVE-2025-67644 is an SQL injection vulnerability identified in langchain-ai's langgraph product, specifically in versions prior to 3.0.1. The vulnerability arises from the CheckpointSaver component, which uses SQLite databases for storing checkpoint data both synchronously and asynchronously via aiosqlite. The root cause is improper neutralization of special elements in SQL commands (CWE-89), where the _metadata_predicate() function constructs SQL queries by directly interpolating metadata filter keys into Python f-strings without any validation or sanitization. This design flaw allows attackers to inject malicious SQL code through the metadata filter keys parameter, not just the filter values, which is uncommon and increases the attack surface. Exploitation requires low privileges (PR:L) but no user interaction (UI:N), and the attack vector is local (AV:L), meaning the attacker needs some level of access to the system or application environment. The vulnerability impacts confidentiality severely (C:H), with limited impact on integrity (I:L) and no impact on availability (A:N). The scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to applications relying on langgraph for checkpointing with untrusted metadata inputs. The issue was addressed in langgraph version 3.0.1 by implementing proper input validation and sanitization to prevent SQL injection. Organizations using affected versions should upgrade promptly and review their use of metadata filters in checkpoint operations to avoid injection risks.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive data stored within langgraph's SQLite databases, potentially exposing intellectual property, user data, or operational metadata. The ability to manipulate SQL queries through untrusted metadata filter keys could allow attackers to extract confidential information or subtly alter data integrity, undermining trust in AI-driven applications that rely on langgraph for state persistence. Given the increasing adoption of AI and machine learning frameworks in sectors such as finance, healthcare, and critical infrastructure across Europe, exploitation could have regulatory and reputational consequences, including violations of GDPR due to data breaches. The local attack vector implies that attackers may need some level of access, such as compromised internal accounts or insider threats, which are realistic in complex enterprise environments. The lack of known exploits suggests the window for proactive mitigation is still open, but the high CVSS score and scope change indicate that the vulnerability should be treated as a priority. Failure to address this could lead to lateral movement within networks, data exfiltration, or manipulation of AI model states, impacting decision-making processes and operational continuity.

1. Immediate upgrade to langgraph version 3.0.1 or later, where the vulnerability is fixed. 2. Implement strict input validation and sanitization on all metadata filter keys before they are processed by the checkpoint system, ensuring that only expected keys with safe characters are accepted. 3. Restrict access to the checkpointing functionality and metadata inputs to trusted users and systems only, minimizing the risk of local exploitation. 4. Employ application-layer firewalls or runtime application self-protection (RASP) tools that can detect and block suspicious SQL query patterns indicative of injection attempts. 5. Conduct code reviews and penetration testing focused on metadata handling and checkpoint operations to identify any residual injection vectors. 6. Monitor logs for unusual query patterns or errors related to checkpoint searches that could indicate attempted exploitation. 7. Educate developers and security teams about the risks of interpolating untrusted input directly into SQL queries and promote the use of parameterized queries or ORM frameworks that inherently prevent injection. 8. For organizations unable to upgrade immediately, implement compensating controls such as input filtering proxies or sandboxing of the checkpointing process to limit potential damage.