GHSA-MHR3-J7M5-C7C9 LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution

Context A Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from BaseCache and opt nodes into caching via CachePolicy. Prior to langgraph-checkpoint 4.0.0, BaseCache defaults to JsonPlusSerializerpicklefallback=True. When...

CVE-2025-64439 LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB both sync and async, via aiosqlite. In versions 2.1.2 and below, the JsonPlusSerializer used as the default serialization protocol for all checkpointing contains a Remote Code Execution RCE...

CVE-2025-64439 LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB both sync and async, via aiosqlite. In versions 2.1.2 and below, the JsonPlusSerializer used as the default serialization protocol for all checkpointing contains a Remote Code Execution RCE...

langgraph 代码问题漏洞

langgraph is a large modeling framework open-sourced by LangChain. A code issue vulnerability exists in langgraph version 2.1.2 and below, which stems from a remote code execution vulnerability in JsonPlusSerializer when deserializing payloads saved in json mode...

Deserialization of Untrusted Data

Overview langgraph-checkpoint-sqlite is a Library with a SQLite implementation of LangGraph checkpoint saver. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the JsonPlusSerializer deserialization process of payloads saved in the json serialization mode. ...

PT-2025-45384

Name of the Vulnerable Software and Affected Versions LangGraph versions 2.1.2 and below Description LangGraph’s SQLite Checkpoint, which utilizes SQLite databases for checkpoint saving, contains a Remote Code Execution RCE issue in the JsonPlusSerializer when deserializing payloads saved in "jso...