A critical remote code execution vulnerability has been discovered in LangGraph’s checkpoint serialization system.
The flaw CVE-2025-64439 affects versions of langgraph-checkpoint before 3.0. It allows attackers to execute arbitrary Python code when untrusted data is deserialized.
The vulnerability resides in LangGraph’s JsonPlusSerializer, the default serialization protocol used for checkpoint persistence.
When the serializer encounters illegal Unicode surrogate values during msgpack serialization, it automatically falls back to JSON mode.
LangGraph Vulnerability
In this fallback state, the deserializer supports a constructor-style format that reconstructs custom objects during loading.
The flaw carries a CVSS score of 8.5, classified as “High” severity. It falls under CWE-502, which covers deserialization of untrusted data vulnerabilities.
An attacker can exploit this mechanism to inject malicious payloads that execute arbitrary functions when deserialized.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-64439 |
| Vulnerability Type | Remote Code Execution (RCE) |
| Component | LangGraph JsonPlusSerializer |
| Affected Versions | langgraph-checkpoint < 3.0 |
| Patched Versions | langgraph-checkpoint >= 3.0 |
| Severity | High (7.5 CVSS v4) |
| Attack Vector | Network |
The vulnerability primarily affects applications that meet two conditions: They allow untrusted or user-supplied data to be persisted into checkpoints, and they use the default JsonPlusSerializer (or explicitly instantiate it).
Applications processing only trusted data face significantly lower practical risk. LangGraph-API deployments running version 0.5 or later are unaffected.
Attackers can weaponize this vulnerability through a carefully crafted proof-of-concept. That injects a malicious payload structured with specific JSON elements: an “lc” value of 2, a “type” set to “constructor,” and an “id” field pointing to dangerous system functions like “os.system.”
When the compromised checkpoint is loaded, the deserialization process automatically executes the embedded command.
LangChain has released langgraph-checkpoint version 3.0 to address this issue.
The fix implements an allow-list for constructor deserialization, restricting permissible paths to explicitly approved module and class combinations.
Additionally, saving payloads in JSON format has been deprecated to eliminate this unsafe fallback mechanism. Users should upgrade immediately to version 3.0 or later.
The update maintains full compatibility with langgraph 0.3. It requires no code modifications or import changes, making the patching process straightforward and low-risk for most deployments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
