A critical remote code execution vulnerability has been discovered in LangGraph’s checkpoint serialization library, affecting versions before 3.0.
The flaw resides in the JsonPlusSerializer component, which is the default serialization protocol used for all checkpointing operations.
This vulnerability (CVE-2025-64439) allows attackers to execute arbitrary Python code during the deserialization of malicious payloads.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-64439 |
| Vulnerability Type | Remote Code Execution (RCE) |
| Component | LangGraph JsonPlusSerializer |
| Affected Versions | langgraph-checkpoint < 3.0 |
| Patched Versions | langgraph-checkpoint >= 3.0 |
| Severity | High (7.5 CVSS v4) |
| Attack Vector | Network |
| Privileges Required | Low |
How the Vulnerability Works
The vulnerability stems from an unsafe fallback mechanism in the JsonPlusSerializer. The library typically uses msgpack for serialization, but when illegal Unicode surrogate values prevent successful serialization, the system automatically falls back to “json” mode.
During deserialization in this mode, the system supports a constructor-style format that reconstructs custom objects at load time.
Attackers can exploit this functionality by crafting malicious payloads that execute system commands or arbitrary functions during deserialization.
This issue impacts users of langgraph-checkpoint versions earlier than 3.0 who allow untrusted or user-supplied data to be persisted into checkpoints.
If your application only processes trusted data or restricts checkpoint writes, the practical risk is significantly reduced. However, any system accepting external input requires immediate attention and patching.
LangGraph has released version 3.0.0 of the checkpoint library with complete remediation.
The fix implements an allowlist system for constructor deserialization, restricting permissible code paths to explicitly approved module and class combinations.
Additionally, saving payloads in “json” format has been deprecated, removing the unsafe fallback entirely.
This update is fully compatible with LangGraph 0.3 and requires no code modifications to implement.
Organizations should upgrade immediately to langgraph-checkpoint version 3.0.0. Users deploying LangGraph API should update to version 0.5 or later, which automatically includes the patched checkpoint library.
The update process is straightforward with no import changes or application code modifications necessary.
Given the high severity rating and ease of exploitation, this patch should be treated as a critical priority in your security update schedule.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.