By Yarden PoratAI agents need memory. Frameworks like LangGraph provide it through checkpointers – persistence layers that store execution state. But what happens when that persistence layer isn’t locked down?Key PointsCheck Point Research analyzed LangGraph, an open-source framework for stateful AI agents with over 50 million monthly downloads, and uncovered three vulnerabilities in its persistence layer.Two of them chain into remote code execution: a SQL injection in the SQLite checkpointer (CVE-2025-67644) and an unsafe msgpack deserialization (CVE-2026-28277).A third, parallel issue (CVE-2026-27022) introduces the same injection class into the Redis checkpointer.Who’s at risk: teams self-hosting LangGraph with the SQLite or Redis checkpointer, where the application exposes get_state_history() with a user-controlled filter. LangChain’s managed cloud service, LangSmith Deployment (formerly LangGraph Platform), runs PostgreSQL and is not vulnerable.LangChain patched all three issues. Users should update to langgraph-checkpoint-sqlite 3.0.1+, langgraph 1.0.10+, and langgraph-checkpoint-redis 1.0.2+.BackgroundLangGraph is an open-source framework for building stateful, multi-agent AI systems with built-in persistence. It’s an extension of LangChain, with over 50 million monthly downloads according to PyPI stats.Checkpointers are LangGraph’s persistence layer that stores execution state at each step. LangGraph supports two checkpointer implementations: SQLite and PostgreSQL.Vulnerability #1: SQL Injection (CVE-2025-67644)The SQLite Checkpointer Database Schema:The SQLite checkpointer uses an internal table called checkpoints with the following structure:CREATE TABLE checkpoints ( thread_id TEXT NOT NULL, checkpoint_ns TEXT NOT NULL DEFAULT '', checkpoint_id TEXT NOT NULL, parent_checkpoint_id TEXT, type TEXT, checkpoint BLOB, metadata BLOB, PRIMARY KEY (thread_id, checkpoint_ns, checkpoint_id));The metadata column stores additional contextual information about each checkpoint in JSON format. For example:{ "user_id": "alice", "step": 1, "source": "input"}The list() Function and Filtering:When calling the list() function on sqliteSaver (the checkpointer), the filter parameter is used to query checkpoints based on their metadata:def list( self, config: RunnableConfig | None, *, filter: dict[str, Any] | None = None, # Used to filter by metadata before: RunnableConfig | None = None, limit: int | None = None,) -> Iterator[CheckpointTuple]:The filter parameter is passed to an internal function called _metadata_predicate, which constructs the SQL WHERE clause to query checkpoints by their metadata fields.# process metadata query for query_key, query_value in filter.items(): operator, param_value = _where_value(query_value) predicates.append( f"json_extract(CAST(metadata AS TEXT), '$.{query_key}') {operator}" ) param_values.append(param_value) return (predicates, param_values)The InjectionThe vulnerability exists in how _metadata_predicate handles the query_key from the filter dictionary.Notice this critical line:f"json_extract(CAST(metadata AS TEXT), '$.{query_key}') {operator}"An attacker-controlled filter could provide a query_key with a ' character that will escape the JSON path string and inject arbitrary SQL code.Injection -> Arbitrary DeserializationTo understand how SQL injection leads to arbitrary deserialization, we need to see the complete picture.Here’s the SQL query that gets executed in list():query = f"""SELECT thread_id, checkpoint_ns, checkpoint_id, parent_checkpoint_id, type, checkpoint, metadataFROM checkpoints{where}ORDER BY checkpoint_id DESC"""This query retrieves checkpoint data from the database, including the checkpoint’s BLOB column.The results are then processed:async for ( thread_id, checkpoint_ns, checkpoint_id, parent_checkpoint_id, type, checkpoint, # ← This comes directly from the SQL query results metadata,) in cur: # ← cur contains the query results # ... yield CheckpointTuple( # ... self.serde.loads_typed((type, checkpoint)), # ← Deserialization # ... )The checkpoint contains serialized data, and when fetched gets deserialized.The AttackUsing SQL injection in the WHERE clause, an attacker can inject a UNION SELECT that adds their own row to the query results:SELECT thread_id, checkpoint_ns, checkpoint_id, parent_checkpoint_id, type, checkpoint, metadataFROM checkpointsWHERE ... (injected: ') UNION SELECT 'thread1', 'ns', 'checkpoint1', NULL, 'msgpack', X'', '{}' -- )ORDER BY checkpoint_id DESCThe injected UNION SELECT returns a fake checkpoint row where the checkpoint column contains attacker-controlled serialized data. When the code loops through the query results, it deserializes this malicious checkpoint’s BLOB, giving the attacker arbitrary deserializationVulnerability #2: MsgPack Unsafe Deserialization (CVE-2026-28277)Now let’s examine what happens during deserialization. The self.serde.loads_typed() function that deserializes checkpoint data looks like this:def loads_typed(self, data: tuple[str, bytes]) -> Any: type_, data_ = data if type_ == "null": return None elif type_ == "bytes": return data_ elif type_ == "bytearray": return bytearray(data_) elif type_ == "json": return json.loads(data_, object_hook=self._reviver) elif type_ == "msgpack": return ormsgpack.unpackb( data_, ext_hook=self._unpack_ext_hook, option=ormsgpack.OPT_NON_STR_KEYS ) elif self.pickle_fallback and type_ == "pickle": return pickle.loads(data_) else: raise NotImplementedError(f"Unknown serialization type: {type_}")FormatsPickle – is disabled by defaultJSON – The json.loads() with object_hook was discussed in our LangGrinch research, but does not lead to code executionMsgpack – This is the one we are interested inWhat is msgpack?MessagePack (msgpack) is a binary serialization format designed to be faster and more compact than JSON. LangGraph uses ormsgpack, a Rust-based implementation with Python bindings.Msgpack ExtensionsMessagePack allows developers to define custom extension types to handle additional data types beyond its built-in primitives. LangGraph implemented its own extension handler to support serialization of custom Python objects.When the type_ is msgpack, the code calls:ormsgpack.unpackb(data_, ext_hook=self._unpack_ext_hook, option=ormsgpack.OPT_NON_STR_KEYS)```The `ext_hook` parameter points to LangGraph's custom implementation: `_msgpack_ext_hook`.```pythondef _msgpack_ext_hook(code: int, data: bytes) -> Any: if code == EXT_CONSTRUCTOR_SINGLE_ARG: try: tup = ormsgpack.unpackb( data, ext_hook=_msgpack_ext_hook, option=ormsgpack.OPT_NON_STR_KEYS ) # module, name, arg return getattr(importlib.import_module(tup[0]), tup[1])(tup[2]) except Exception: returnWhen an attacker controls the serialized data, they control both the extension code and the data bytes.The vulnerabilityIf we pass a msgpack with EXT_CONSTRUCTOR_SINGLE_ARG code, and the tuple:ossystemCommand (“echo PWN > /tmp/pwned.txt” for example)When this line executes:return getattr(importlib.import_module(tup[0]), tup[1])(tup[2])It will:1. Import the os module2. Get the system function from it3. Call os.system("echo PWN > /tmp/pwned.txt")This gives an attacker arbitrary code execution – by calling os.system() with attacker-controlled commands, they can execute any shell command on the server.The Attack Chain: Combining Both VulnerabilitiesNow let’s walk through how an attacker chains these two vulnerabilities together to achieve remote code execution.The Entry Point: When a developer exposes get_state_history(), it internally calls the checkpointer’s list() method to retrieve historical checkpoints:def get_state_history( self, config: RunnableConfig, *, filter: Optional[Dict[str, Any]] = None, before: Optional[RunnableConfig] = None, limit: Optional[int] = None,) -> Iterator[StateSnapshot]: # ... for checkpoint_tuple in self.checkpointer.list(config, filter=filter, before=before, limit=limit): # Process and return checkpoint dataIf the filter parameter comes from user input without sanitization, an attacker controls the dictionary keys passed to the SQL injection vulnerability.The Attack Flow1. Craft Malicious Payload: The attacker prepares a msgpack payload containing instructions to execute arbitrary code (e.g., run a shell command).2. Exploit SQL Injection: The attacker sends a malicious filter parameter that exploits the SQL injection vulnerability. This injection adds a fake checkpoint row to the database query results, where the checkpoint column contains their malicious msgpack payload.3. Trigger Deserialization: When the application processes the query results, it encounters the injected fake checkpoint and deserializes the malicious msgpack data.4. Code Execution: The unsafe deserialization executes the attacker’s payload, giving them remote code execution on the server.Vulnerability #3: SQL Injection in the Redis Checkpointer (CVE-2026-27022)The same injection class affects langgraph-checkpoint-redis: user-controlled keys in the filter dictionary are interpolated directly into the query instead of bound as parameters. Preconditions match CVE-2025-67644 (the application exposes get_state_history() with a user-controlled filter and uses the Redis checkpointer). Patched in langgraph-checkpoint-redis 1.0.2.Additional SQL Injection FindingsBeyond the primary SQL injection in the filter parameter, we identified additional defense-in-depth SQL injection issues in both the SQLite and PostgreSQL checkpointers. These involved direct concatenation of integer values (such as LIMIT and ttl parameters) into SQL queries instead of using parameterized bindings.Since Python doesn’t enforce type hints at runtime, these parameters could still accept malicious string input. We worked with the LangChain team during disclosure to remediate these issues using parameterized queries.Disclosure Timeline2025-11-19: CVE-2025-67644 (SQL injection), CVE-2026-28227 (msgpack deserialization) And CVE-2026-27022 (Redis injection) disclosed to LangChain team2025-12-10: CVE-2025-67644 fixed and publicly released in langgraph-checkpoint-sqlite 3.0.12026-02-20: CVE-2026-27022 fixed and publicly released in langgraph-checkpoint-redis 1.0.22026-03-05: CVE-2026-28277 fixed and publicly released in langgraph-checkpoint 4.0.1Note on Vendor ResponseThe LangChain team responded quickly to fix the critical SQL injection vulnerability, which effectively breaks the attack chain described in this research. They continue to work methodically on additional remediation efforts, including the msgpack deserialization issue.Additional ResearchThere was significant community research into LangGraph security during November and December 2025. Other security researchers independently discovered CVE-2025-67644 and CVE-2026-28277. Full credits can be found in LangChain’s security advisories.The post From SQLi to RCE – Exploiting LangGraph’s Checkpointer appeared first on Check Point Research.