Critical LangGraph Vulnerability Enables Remote Code Execution via Deserialization
A significant security flaw has been identified in LangGraph’s checkpoint serialization system, posing a substantial risk to applications utilizing this framework. Designated as CVE-2025-64439, this vulnerability affects versions of langgraph-checkpoint prior to 3.0 and allows attackers to execute arbitrary Python code during the deserialization process.
Understanding the Vulnerability
The core of this issue lies within LangGraph’s JsonPlusSerializer, the default protocol for checkpoint persistence. When encountering illegal Unicode surrogate values during msgpack serialization, the system defaults to JSON mode. In this fallback state, the deserializer supports a constructor-style format that reconstructs custom objects during loading. This mechanism can be exploited by attackers to inject malicious payloads that execute arbitrary functions upon deserialization.
Technical Details
– CVE ID: CVE-2025-64439
– Vulnerability Type: Remote Code Execution (RCE)
– Component Affected: LangGraph JsonPlusSerializer
– Affected Versions: langgraph-checkpoint versions before 3.0
– Patched Versions: langgraph-checkpoint version 3.0 and later
– Severity: High (CVSS score of 8.5)
– Attack Vector: Network
Exploitation Mechanism
An attacker can craft a malicious payload structured with specific JSON elements: an lc value of 2, a type set to constructor, and an id field pointing to dangerous system functions like os.system. When the compromised checkpoint is loaded, the deserialization process automatically executes the embedded command, leading to potential system compromise.
Impacted Applications
This vulnerability primarily affects applications that:
1. Allow untrusted or user-supplied data to be persisted into checkpoints.
2. Utilize the default JsonPlusSerializer or explicitly instantiate it.
Applications processing only trusted data face significantly lower practical risk. Notably, LangGraph-API deployments running version 0.5 or later are unaffected.
Mitigation and Remediation
To address this critical issue, LangChain has released langgraph-checkpoint version 3.0. This update implements an allow-list for constructor deserialization, restricting permissible paths to explicitly approved module and class combinations. Additionally, saving payloads in JSON format has been deprecated to eliminate the unsafe fallback mechanism.
Recommendations for Users
Users are strongly advised to upgrade to langgraph-checkpoint version 3.0 or later immediately. The update maintains full compatibility with langgraph 0.3 and requires no code modifications or import changes, making the patching process straightforward and low-risk for most deployments.
Conclusion
The discovery of CVE-2025-64439 underscores the critical importance of secure deserialization practices in software development. By promptly updating to the latest version of langgraph-checkpoint, organizations can protect their systems from potential exploitation and ensure the integrity of their applications.
