CVE-2025-64439 Overview
CVE-2025-64439 is an Insecure Deserialization vulnerability affecting LangGraph SQLite Checkpoint, an implementation of LangGraph CheckpointSaver that uses SQLite DB for both synchronous and asynchronous operations via aiosqlite. The vulnerability exists in the JsonPlusSerializer component, which is used as the default serialization protocol for all checkpointing operations. When deserializing payloads saved in "json" serialization mode, attackers can achieve Remote Code Execution (RCE) on affected systems.
By default, the serializer attempts to use "msgpack" for serialization. However, in versions prior to 3.0, if illegal Unicode surrogate values caused serialization to fail, the system would fall back to using the vulnerable "json" mode. This fallback behavior creates an exploitable condition where malicious serialized payloads can be injected and executed.
Critical Impact
Remote Code Execution vulnerability in LangGraph checkpoint deserialization allows attackers with low privileges to execute arbitrary code on systems running affected versions, potentially compromising AI/ML pipeline integrity.
Affected Products
- LangGraph SQLite Checkpoint versions 2.1.2 and below
- LangGraph checkpoint library versions prior to 3.0.0
- Systems using JsonPlusSerializer with "json" serialization mode
Discovery Timeline
- 2025-11-07 - CVE-2025-64439 published to NVD
- 2025-11-12 - Last updated in NVD database
Technical Details for CVE-2025-64439
Vulnerability Analysis
This vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). The flaw resides in the JsonPlusSerializer class within the LangGraph checkpoint library. The core issue stems from the serializer's dual-mode operation: while "msgpack" is the preferred serialization format, the system contains a fallback mechanism that switches to "json" mode when Unicode surrogate value errors occur during msgpack serialization.
The "json" serialization mode in affected versions does not properly validate or sanitize incoming data before deserialization, creating a classic insecure deserialization vulnerability. An attacker with the ability to manipulate checkpoint data stored in the SQLite database can craft malicious payloads that, when deserialized by the vulnerable JsonPlusSerializer, result in arbitrary code execution.
The attack requires network access and low privileges, but no user interaction is needed. The vulnerability has significant potential for lateral movement, as compromised checkpoints could affect downstream components that consume the AI/ML pipeline data.
Root Cause
The root cause is the unsafe deserialization of JSON payloads in the JsonPlusSerializer without proper validation or type checking. When the msgpack serialization fails due to illegal Unicode surrogate values, the fallback to JSON mode bypasses security controls that would otherwise prevent malicious object reconstruction. The serializer trusts the incoming data structure without verifying the integrity or safety of the serialized objects, allowing arbitrary code execution through carefully crafted payloads.
Attack Vector
The attack leverages the network-accessible checkpoint system. An attacker with low-level privileges to the system can:
- Trigger or wait for conditions where msgpack serialization fails (e.g., by introducing illegal Unicode surrogate values)
- Inject malicious serialized payloads into checkpoint data stored in the SQLite database
- When the checkpoint is loaded and deserialized using the vulnerable "json" mode, the malicious payload executes arbitrary code
The security patch addresses this by adding explicit JSON import handling and restricting "json" type deserialization to prevent arbitrary object reconstruction:
from __future__ import annotations
+import json
import random
import sqlite3
import threading
Source: GitHub Commit - Security Patch
The async module received a similar fix:
from __future__ import annotations
import asyncio
+import json
import random
from collections.abc import AsyncIterator, Callable, Iterator, Sequence
from contextlib import asynccontextmanager
Source: GitHub Commit - Security Patch
Detection Methods for CVE-2025-64439
Indicators of Compromise
- Unexpected or malformed checkpoint data in SQLite databases associated with LangGraph
- Checkpoint files containing unusual Unicode sequences or surrogate values designed to trigger msgpack fallback
- Anomalous process spawning from Python processes running LangGraph checkpointing operations
- Unexpected network connections originating from checkpoint deserialization contexts
Detection Strategies
- Monitor for unusual deserialization patterns in LangGraph checkpoint operations, particularly fallbacks from msgpack to JSON mode
- Implement file integrity monitoring on SQLite checkpoint databases to detect unauthorized modifications
- Deploy runtime application self-protection (RASP) solutions to detect and block deserialization attacks
- Audit logs for checkpoint load operations that process externally-sourced or modified data
Monitoring Recommendations
- Enable verbose logging for LangGraph checkpoint operations to capture serialization mode switches
- Monitor system calls and process creation events from processes handling checkpoint data
- Implement anomaly detection for checkpoint file sizes and modification patterns
- Set up alerts for failed msgpack serialization attempts followed by JSON fallback mode activation
How to Mitigate CVE-2025-64439
Immediate Actions Required
- Upgrade LangGraph checkpoint library to version 3.0.0 or later immediately
- Audit existing checkpoint data for signs of tampering or malicious payloads
- Restrict access to SQLite checkpoint databases to trusted processes only
- Implement network segmentation to limit exposure of checkpoint storage systems
Patch Information
The vulnerability is fixed in LangGraph checkpoint version 3.0.0. The patch restricts "json" type deserialization to prevent arbitrary code execution through crafted payloads. Organizations should upgrade to this version as soon as possible.
- Fixed Version:3.0.0
- Patch Commit:c5744f583b11745cd406f3059903e17bbcdcc8ac
- Security Advisory:GHSA-wwqv-p2pp-99h5
- Release Notes:LangGraph Checkpoint 3.0.0
Workarounds
- If immediate upgrade is not possible, implement strict access controls on checkpoint databases to prevent unauthorized modifications
- Consider disabling JSON fallback mode in custom serializer configurations if your environment supports it
- Deploy network-level controls to restrict access to systems hosting checkpoint data
- Implement integrity verification for checkpoint data before deserialization
# Upgrade LangGraph checkpoint to patched version
pip install --upgrade langgraph-checkpoint>=3.0.0
# Verify installed version
pip show langgraph-checkpoint | grep Version
# Audit dependencies for vulnerable versions
pip list | grep langgraph
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
