Check Point Research analyzed LangGraph and discovered three vulnerabilities in its persistence layer. The SQLite checkpointer suffers from a SQL injection vulnerability in the filter parameter used to query checkpoint metadata, allowing injection of arbitrary SQL code. This injection can be used to add a fake checkpoint row with attacker-controlled serialized data. The deserialization of this data uses unsafe msgpack deserialization with a custom extension handler that can execute arbitrary Python code, enabling remote code execution. A similar SQL injection exists in the Redis checkpointer. The attack chain requires exposing the get_state_history() method with a user-controlled filter and self-hosting LangGraph with SQLite or Redis checkpointers. LangChain patched these issues in langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint-redis 1.0.2+. The managed cloud service uses PostgreSQL and is not vulnerable.

Successful exploitation allows an attacker to perform SQL injection to inject malicious checkpoint data into the database query results. This data is then deserialized unsafely using msgpack with a custom extension hook that can execute arbitrary code. This leads to remote code execution on the server hosting LangGraph, enabling full control over the system. The vulnerabilities affect self-hosted LangGraph deployments using SQLite or Redis checkpointers with exposed get_state_history() methods accepting user-controlled filters. The managed cloud service LangSmith Deployment is not affected.

LangChain has released official patches addressing these vulnerabilities. Users should update to langgraph-checkpoint-sqlite version 3.0.1 or later, langgraph version 1.0.10 or later, and langgraph-checkpoint-redis version 1.0.2 or later. The managed cloud service LangSmith Deployment uses PostgreSQL and is not vulnerable. Applying these updates effectively mitigates the risk of exploitation. No additional mitigations are required if these patches are applied.