CVE-2025-64439

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 2.1.2 and below, the JsonPlusSerializer (used as the default serialization protocol for all checkpointing) contains a Remote Code Execution (RCE) vulnerability when deserializing payloads saved in the "json" serialization mode. By default, the serializer attempts to use "msgpack" for serialization. However, prior to version 3.0 of the checkpointer library, if illegal Unicode surrogate values caused serialization to fail, it would fall back to using the "json" mode. This issue is fixed in version 3.0.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/langchain-ai/langgraph/blob/c5744f583b11745cd406f3059903e17bbcdcc8ac/libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py
https://github.com/langchain-ai/langgraph/commit/c5744f583b11745cd406f3059903e17bbcdcc8ac
https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D3.0.0
https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5

Configurations

No configuration.

History

No history.

Information

Published : 2025-11-07 21:15

Updated : 2025-11-12 16:20

NVD link : CVE-2025-64439

Mitre link : CVE-2025-64439

CVE.ORG link : CVE-2025-64439

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-64439", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-11-07T21:15:41.690", "references": [{"url": "https://github.com/langchain-ai/langgraph/blob/c5744f583b11745cd406f3059903e17bbcdcc8ac/libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py", "source": "security-advisories@github.com"}, {"url": "https://github.com/langchain-ai/langgraph/commit/c5744f583b11745cd406f3059903e17bbcdcc8ac", "source": "security-advisories@github.com"}, {"url": "https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D3.0.0", "source": "security-advisories@github.com"}, {"url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 2.1.2 and below, the JsonPlusSerializer (used as the default serialization protocol for all checkpointing) contains a Remote Code Execution (RCE) vulnerability when deserializing payloads saved in the \"json\" serialization mode. By default, the serializer attempts to use \"msgpack\" for serialization. However, prior to version 3.0 of the checkpointer library, if illegal Unicode surrogate values caused serialization to fail, it would fall back to using the \"json\" mode. This issue is fixed in version 3.0.0."}, {"lang": "es", "value": "LangGraph SQLite Checkpoint es una implementaci\u00f3n de LangGraph CheckpointSaver que utiliza una base de datos SQLite (tanto s\u00edncrona como as\u00edncrona, a trav\u00e9s de aiosqlite). En las versiones 2.1.2 e inferiores, el JsonPlusSerializer (utilizado como el protocolo de serializaci\u00f3n predeterminado para todo el proceso de checkpointing) contiene una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE) al deserializar cargas \u00fatiles guardadas en el modo de serializaci\u00f3n \"json\". Por defecto, el serializador intenta usar \"msgpack\" para la serializaci\u00f3n. Sin embargo, antes de la versi\u00f3n 3.0 de la librer\u00eda del checkpointer, si valores sustitutos Unicode ilegales causaban que la serializaci\u00f3n fallara, recurrir\u00eda al uso del modo \"json\". Este problema est\u00e1 solucionado en la versi\u00f3n 3.0.0."}], "lastModified": "2025-11-12T16:20:22.257", "sourceIdentifier": "security-advisories@github.com"}