A critical remote code execution vulnerability has been discovered in LangGraph’s checkpoint serialization library, posing significant risks to deployed applications.
The flaw affects versions before 3.0 and enables attackers to execute arbitrary Python code through malicious payload deserialization.
The vulnerability resides in the JsonPlusSerializer component, which serves as the default serialization protocol for all checkpoint operations.
When msgpack serialization fails due to illegal Unicode surrogate values, the system automatically switches to JSON mode.
During this fallback process, the system supports a constructor-style format that reconstructs custom objects at load time, creating the attack surface that malicious actors can exploit.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-64439 |
| Vulnerability Type | Remote Code Execution (RCE) |
| Component | LangGraph JsonPlusSerializer |
| Affected Versions | langgraph-checkpoint < 3.0 |
| Patched Versions | langgraph-checkpoint >= 3.0 |
| Severity | High (7.5 CVSS v4) |
| Attack Vector | Network |
| Privileges Required | Low |
The vulnerability’s severity stems from the unsafe fallback mechanism that permits object reconstruction during deserialization without proper validation.
Attackers can craft malicious payloads to execute system commands or arbitrary functions when checkpoints are loaded.
The practical risk is elevated for applications accepting untrusted or user-supplied data persisted into checkpoints.
However, organizations restricting checkpoint writes to trusted data sources face significantly reduced exposure.
LangGraph has released version 3.0.0 with complete remediation. The patch implements an allowlist system for constructor deserialization, restricting permissible code paths to explicitly approved module and class combinations.
Additionally, the unsafe JSON serialization fallback has been deprecated entirely, eliminating the attack vector.
The update is fully compatible with LangGraph 0.3 and requires no code modifications. Users deploying LangGraph API should upgrade to version 0.5 or later, which automatically includes the patched checkpoint library.
The upgrade process remains straightforward with no import changes necessary.
Given the high severity rating and ease of exploitation, immediate patching is critical. Organizations should prioritize langgraph-checkpoint version 3.0.0 upgrades in their security schedules.
The update presents minimal implementation friction while effectively eliminating this critical vulnerability.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1068,580&ssl=1&description=The flaw affects versions before 3.0 and enables attackers to execute arbitrary Python code through malicious payload deserialization.){kind=link}