CVE-2025-64439
remote code execution vulnerability in langgraph-checkpoint (PyPI)
What is CVE-2025-64439 About?
This is a remote code execution (RCE) vulnerability in LangGraph's JsonPlusSerializer, stemming from insecure deserialization. It allows an attacker to execute arbitrary Python code by providing a malicious payload that is persisted and later deserialized. Successful exploitation can lead to complete system compromise and data breach.
Affected Software
Technical Details
The vulnerability exists in LangGraph’s JsonPlusSerializer (used for checkpointing) in versions prior to 3.0. Specifically, when the serializer falls back to the "json" serialization mode (due to illegal Unicode surrogate values causing "msgpack" serialization to fail), it allows for a constructor-style format (lc == 2, type == "constructor") for custom objects. An attacker can craft a malicious payload in this mode, specifying an arbitrary function (e.g., os.system) to be executed during deserialization. If an application persists untrusted user-supplied data that includes such a payload and then attempts to deserialize it, the attacker-defined Python code will be executed in the context of the running application, leading to Remote Code Execution.
What is the Impact of CVE-2025-64439?
Successful exploitation may allow attackers to execute arbitrary Python code on the host system, leading to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2025-64439?
Exploitation of this vulnerability is remote but requires specific conditions: an application using affected versions of langgraph-checkpoint (prior to 3.0) must allow untrusted or user-supplied data to be persisted into checkpoints, and the serializer must fall back to the "json" mode (e.g., due to Unicode issues). The attacker must then provide a malicious payload designed to trigger constructor-style deserialization with an arbitrary function call. Authentication and specific privileges are not explicitly mentioned for the RCE itself, implying it could be achieved through unauthenticated or low-privileged input channels if those inputs are eventually saved and deserialized. The complexity is moderate to high, as it requires understanding the serialization fallback mechanism and crafting a precise payload. The risk is high if an application accepts external data for checkpointing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-64439?
About the Fix from Resolved Security
Available Upgrade Options
- langgraph-checkpoint
- <3.0.0 → Upgrade to 3.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/langchain-ai/langgraph/security/advisories/GHSA-wwqv-p2pp-99h5
- https://github.com/langchain-ai/langgraph/releases/tag/checkpoint%3D%3D3.0.0
- https://github.com/langchain-ai/langgraph/commit/c5744f583b11745cd406f3059903e17bbcdcc8ac
- https://github.com/langchain-ai/langgraph/blob/c5744f583b11745cd406f3059903e17bbcdcc8ac/libs/checkpoint/langgraph/checkpoint/serde/jsonplus.py
- https://osv.dev/vulnerability/GHSA-wwqv-p2pp-99h5
- https://github.com/langchain-ai/langgraph
What are Similar Vulnerabilities to CVE-2025-64439?
Similar Vulnerabilities: CVE-2023-50020 , CVE-2023-50017 , CVE-2023-50018 , CVE-2023-26466 , CVE-2022-42969
