Exploiting Persistent Layers: Vulnerabilities in LangGraph Framework
TL;DR
Check Point Research has identified three vulnerabilities in LangGraph, an open-source framework for stateful AI agents. Two of these vulnerabilities could lead to remote code execution through SQL injection and unsafe deserialization.
Main Analysis
LangGraph, a framework with over 50 million monthly downloads, incorporates checkpointers as its persistence layer. Check Point Research assessed these components and revealed vulnerabilities in both the SQLite and Redis implementations. The vulnerabilities include SQL injection in the SQLite checkpointer (CVE-2025-67644) and unsafe msgpack deserialization (CVE-2026-28277), which together can enable attackers to execute arbitrary code. A third vulnerability (CVE-2026-27022) affects the Redis checkpointer, mirroring the SQL injection issue present in the SQLite version.
The SQL injection vulnerability originates from the filter parameter in the get_state_history() method, which improperly handles user input. An attacker can manipulate this parameter to construct a malicious SQL query. This manipulation allows the attacker to inject a UNION SELECT clause that adds a fake checkpoint row to the retrieved data, followed by a malicious BLOB for deserialization. The list() method processes this query without sufficient sanitization, leading to executing arbitrary deserialization and, ultimately, remote code execution.
In addition to these critical vulnerabilities, Check Point Research found further injection risks involving integer parameters due to direct concatenation within SQL queries, which could lead to additional attack vectors.
Defensive Context
Organizations utilizing LangGraph, particularly those self-hosting the framework with SQLite or Redis checkpointers, should be aware of these vulnerabilities. Notably, environments where user-generated input influences application logic drastically increase exposure. Conversely, users leveraging LangChain’s managed cloud service, LangSmith Deployment, employing PostgreSQL, are not affected.
Why This Matters
The vulnerabilities pose a significant threat to teams that have poorly secured their LangGraph installations. Organizations in sectors relying on AI models that use this framework and expose sensitive functions like get_state_history() could be particularly vulnerable, allowing attackers to hijack control of servers through these flaws.
Defender Considerations
Defenders should apply the available patches: update to langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint-redis 1.0.2+. Additionally, any applications exposing the get_state_history() method with unfiltered user inputs should be reviewed for security compliance.
Indicators of Compromise (IOCs)
- CVE-2025-67644: SQL injection vulnerability in SQLite checkpointer
- CVE-2026-28277: Unsafe deserialization vulnerability
- CVE-2026-27022: SQL injection vulnerability in Redis checkpointer
