LangGraph CVE chain enables RCE via SQLite injection and msgpack deserialization in self-hosted checkpoints

The chain starts with a malicious filter key passed to get_state_history that triggers SQL injection in the SQLite checkpointer, returning a crafted row whose BLOB contains a malicious msgpack payload. Deserialization then reconstructs attacker-controlled objects, achieving code execution in the agent runtime. Check Point researcher Yarden Porat documented the steps against versions prior to langgraph-checkpoint-sqlite 3.0.1 and langgraph 1.0.10. LangGraph maintainers classify the deserialization issue as post-exploitation only after write access to the persistence layer.

Self-hosted LangGraph deployments mirror earlier exposure patterns seen in LangChain's vector store connectors and Redis checkpointers, where elevated agent privileges amplify classic injection classes. Procurement records from defense contractors show increasing use of these frameworks for autonomous task orchestration without equivalent hardening of checkpoint stores. Official statements emphasize that LangSmith hosted instances remain unaffected, yet independent audits of open-source telemetry reveal that most production instances run the vulnerable SQLite and Redis backends.

Network segmentation and short-lived credentials reduce blast radius, but the fundamental issue persists: AI agents inherit the same persistence attack surface as web applications while holding runtime secrets and external tool access. Next steps include mandatory authentication on checkpoint endpoints and migration to signed, encrypted checkpoint formats within 60 days for any deployment handling sensitive data.