Skip to main content
Application Security Standards
LangGraph RCE: SQL Injection in an AI FrameworkIncident
4 min readFor Security Engineers

LangGraph RCE: SQL Injection in an AI Framework

What Happened

In January 2025, Check Point researcher Yarden Porat disclosed three vulnerabilities in LangGraph, a framework for building stateful AI agent workflows. The most severe, CVE-2025-67644 (CVSS 7.3), allows remote code execution in self-hosted deployments. This vulnerability combines SQL injection in the SQLite checkpointer with unsafe deserialization in the Redis checkpointer.

The attack occurs when self-hosted LangGraph instances use user-controlled filter input with either the SQLite or Redis checkpointer. An attacker can manipulate checkpoint filter parameters to inject SQL, extract serialized state objects, and then deserialize them to execute arbitrary code on the host system.

LangChain patched the vulnerabilities in langgraph-checkpoint-sqlite version 3.0.1 and updated the Redis checkpointer. Their managed platform, LangSmith Deployment, was never vulnerable—only self-hosted instances running affected versions were at risk.

Timeline

Discovery: Check Point identifies the vulnerability chain during security research into AI framework attack surfaces.

Disclosure: Yarden Porat reports findings to LangChain through responsible disclosure.

Patch Release: LangChain releases langgraph-checkpoint-sqlite 3.0.1 and updates the Redis checkpointer to address all three CVEs.

Public Disclosure: Check Point publishes technical details after patch availability.

The exact dates between discovery and patch are not publicly available, but the timeline followed standard coordinated disclosure practices.

Which Controls Failed or Were Missing

Input Validation (OWASP Top 10 A03:2021 - Injection)

The SQLite checkpointer accepted user-controlled filter parameters without sanitization. This vulnerability is common but often overlooked in AI contexts. Your team may assume the AI framework vendor handles input validation at the checkpoint layer, but they didn't.

Deserialization Controls (OWASP ASVS v4.0.3 - V5.5.3)

The Redis checkpointer used Python's pickle module to deserialize state objects without integrity verification. An attacker could extract a serialized checkpoint through SQL injection, craft a malicious pickle payload, and inject it back into the system. When deserialized, the framework executed the attacker's code.

OWASP ASVS Requirement 5.5.3 states: "Verify that the application restricts the use of deserialization to trusted sources or implements integrity checks to detect tampering or replay of serialized objects."

Deployment Architecture Review

Self-hosted deployments lacked the isolation layers present in LangSmith's managed environment. If your team deployed LangGraph with direct user access to checkpoint filters, you created the attack surface. The vulnerability required both user-controlled input and self-hosted deployment to be exploitable.

What the Relevant Standards Require

PCI DSS v4.0.1 Requirement 6.2.4

"Bespoke and custom software are developed securely" includes third-party frameworks you integrate. If you're processing payment data through an AI agent built on LangGraph, you own the security posture of that framework in your environment. You can't outsource that responsibility just because it's an AI tool.

Requirement 6.2.4 demands secure development practices throughout the software lifecycle. When you deploy a self-hosted AI framework, you're responsible for:

  • Reviewing the framework's security documentation
  • Understanding its attack surface
  • Implementing compensating controls where the framework has known limitations

OWASP ASVS v4.0.3 - V1.14.6

"Verify that all untrusted data that are output to HTML, JavaScript, or other client-side technologies is properly escaped and encoded to prevent injection attacks." This applies equally to data fed into AI agent checkpoints. The checkpoint filter is untrusted data and needs validation before it touches SQL.

ISO/IEC 27001:2022 - Control 8.24

"Use of cryptography" requires protecting data in transit and at rest. When your AI agent serializes state to a checkpoint, that state may contain sensitive data. Pickle serialization without integrity protection violates this control because an attacker can modify the serialized data without detection.

Lessons and Action Items for Your Team

Audit Your AI Framework Dependencies Now

List every AI framework, agent orchestration tool, and LLM integration library in your environment. For each one:

  1. Check if you're running a self-hosted deployment
  2. Identify which components accept user input
  3. Map data flow from user input to framework internals
  4. Verify the framework version against known CVEs

For LangGraph specifically: If you're running langgraph-checkpoint-sqlite before 3.0.1, upgrade immediately. This is a patch-now vulnerability.

Treat AI Frameworks Like Any Other Application

Your security review process for a new web application should apply to AI frameworks. That means:

  • Threat modeling before deployment
  • Input validation at every trust boundary
  • Principle of least privilege for service accounts
  • Network segmentation for self-hosted instances

If you deployed LangGraph without asking "what happens if an attacker controls the checkpoint filter?", you skipped threat modeling.

Implement Defense in Depth for Deserialization

Never trust deserialized data. Even after LangChain's patch, add these controls:

  1. Integrity verification: Sign serialized checkpoints with HMAC before storage. Verify the signature before deserialization.
  2. Allowlist deserialization: If your framework supports it, restrict deserialization to specific classes. Python's pickle is notoriously unsafe—consider JSON or Protocol Buffers for checkpoint serialization instead.
  3. Isolated execution: Run AI agents in containers with minimal privileges. If an attacker achieves RCE, they should land in a sandbox with no lateral movement options.

Evaluate Managed vs. Self-Hosted Trade-offs

LangSmith Deployment wasn't vulnerable because LangChain controls the entire stack. Before you self-host an AI framework, answer:

  • Do you have the security expertise to harden this deployment?
  • Can you monitor for exploitation attempts?
  • Will you patch within 24 hours of CVE disclosure?

If the answer to any of these is no, managed deployment may be your better option. The control trade-off might be worth the reduced attack surface.

Update Your Secure Development Checklist

Add these items to your pre-deployment security review:

  • Framework version checked against CVE databases
  • All user input paths identified and validated
  • Deserialization limited to trusted sources with integrity checks
  • Service runs with minimal privileges in isolated environment
  • Monitoring configured for injection attempt patterns

SQL injection in 2025 shouldn't surprise anyone. SQL injection in an AI agent checkpoint should make you rethink your assumptions about where traditional vulnerabilities appear.

Topics:Incident

You Might Also Like

AI Agent Runs Malicious Code from Error Logs
5 min readFor Security Engineers

AI Agent Runs Malicious Code from Error Logs

What Happened Tenet Security discovered a new attack pattern called Agentjacking that weaponizes AI coding agents against their own development teams. The attack works by injecting malicious code into

Read
When the AI Agent You Built Stops Working
4 min readFor Security Engineers

When the AI Agent You Built Stops Working

You developed an AI security agent in just three days. It scanned your repositories, flagged secrets, and impressed your VP. Two months later, it s generating 400 false positives per day, and your tea

Read
phpBB's Ten-Year Auth Bypass: A Teardown
4 min readFor Security Engineers

phpBB's Ten-Year Auth Bypass: A Teardown

An authentication bypass vulnerability lingered in phpBB s codebase for a decade, allowing admin access through a specially crafted request. Aikido discovered the flaw on June 2nd, and phpBB released

Read