ThreatLevelBeta
Planned Fix

CVE-2025-67644

SQL Injection in LangGraph SQLite Checkpoint
Loading...

Summary

LangGraph's SQLite checkpointing component is vulnerable to SQL injection via unvalidated metadata keys. The root cause is the _metadata_predicate() function constructing SQL queries by interpolating user-controlled keys, allowing manipulation or exfiltration of data. The issue is fixed in version 3.0.1.

Why Planned Fix?

2/6
Authentication required
Deployment unknown
No user interaction needed
Default configuration unknown
No active exploitation or PoC
High impact vulnerability

Exploitation Details

Type
SQLi (SQL Injection)
Is exploitable with default configuration?
?
Is authentication needed?
Yes
PoC / Exploit
No
Impact

Read and potentially modify data stored in the LangGraph SQLite checkpoint store; confidentiality impact is high, integrity impact is low, availability impact is none.

Exploitation Requirements
  • Authentication required
  • Access to the vulnerable LangGraph instance and the ability to submit metadata f
  • vulnerable versions ≤ 3.0.0
  • local access (AV:L) and low privileges
  • no user interaction required.
Exploitation Process

An attacker can submit a crafted metadata filter key to the LangGraph checkpoint API. The key is interpolated into SQL queries without validation, enabling injection and potential data leakage or modification.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:LangChain
ProductAffected Versions
LangGraph3.0.0 and below
Description

LangGraph is a framework for building multi-agent AI workflows that stores state in a checkpoint store backed by SQLite.

Deployment:
|
Protocol:HTTP
|
Ports:80, 443
Affected ComponentLangGraph SQLite Checkpoint component (checkpoint store used by LangGraph)

LangGraph SQLite Checkpoint component (checkpoint store used by LangGraph)

Affected Endpoints(5)https://github.com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77c, https://github.com/langchain-ai/langgraph/commit/297242913f8ad2143ee3e2f72e67db0911d48e2a…
1.https://github.com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77c
2.https://github.com/langchain-ai/langgraph/commit/297242913f8ad2143ee3e2f72e67db0911d48e2a
3.https://nvd.nist.gov/vuln/detail/CVE-2025-67644
4.https://cve.org/CVERecord?id=CVE-2025-67644
5.https://api.osv.dev/v1/vulns/CVE-2025-67644
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Niche
Remediation
Workaround

Not available

Patch

Not available

Update

Not available

Threat Intelligence
EPSS data unavailable
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1.

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:
|
NVD:CVE-2025-67644
|
Version From:
|
Version Upto:3.0.1

Affected Software (CPE) (1)

  • cpe:2.3:a:langchain:langgraph-checkpoint-sqlite:*:*:*:*:*:python:*:*

Sources

7
SourceArticle
nvd.nist.govhttps://nvd.nist.gov/vuln/detail/CVE-2025-67644
github.comhttps://github.com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77c
github.comhttps://github.com/langchain-ai/langgraph/commit/297242913f8ad2143ee3e2f72e67db0911d48e2a
storage.googleapis.comhttps://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67644.json
osv.devhttps://osv.dev/vulnerability/CVE-2025-67644
api.osv.devhttps://api.osv.dev/v1/vulns/CVE-2025-67644
www.techradar.comhttps://www.techradar.com/pro/security/each-vulnerability-exposes-a-different-class-of-enterprise-data-langchain-framework-hit-by-securi

Priority History

Planned FixLoading...

Initial analysis