Critical Flaw in LangGraph Allows Remote Code Execution via Deserialization

A critical remote code execution vulnerability has been discovered in LangGraph’s checkpoint serialization library, posing significant risks to deployed applications.

The flaw affects versions before 3.0 and enables attackers to execute arbitrary Python code through malicious payload deserialization.

The vulnerability resides in the JsonPlusSerializer component, which serves as the default serialization protocol for all checkpoint operations.

When msgpack serialization fails due to illegal Unicode surrogate values, the system automatically switches to JSON mode.

During this fallback process, the system supports a constructor-style format that reconstructs custom objects at load time, creating the attack surface that malicious actors can exploit.

Attribute	Details
CVE ID	CVE-2025-64439
Vulnerability Type	Remote Code Execution (RCE)
Component	LangGraph JsonPlusSerializer
Affected Versions	langgraph-checkpoint < 3.0
Patched Versions	langgraph-checkpoint >= 3.0
Severity	High (7.5 CVSS v4)
Attack Vector	Network
Privileges Required	Low

The vulnerability’s severity stems from the unsafe fallback mechanism that permits object reconstruction during deserialization without proper validation.

Attackers can craft malicious payloads to execute system commands or arbitrary functions when checkpoints are loaded.

The practical risk is elevated for applications accepting untrusted or user-supplied data persisted into checkpoints.

However, organizations restricting checkpoint writes to trusted data sources face significantly reduced exposure.

LangGraph has released version 3.0.0 with complete remediation. The patch implements an allowlist system for constructor deserialization, restricting permissible code paths to explicitly approved module and class combinations.

Additionally, the unsafe JSON serialization fallback has been deprecated entirely, eliminating the attack vector.

The update is fully compatible with LangGraph 0.3 and requires no code modifications. Users deploying LangGraph API should upgrade to version 0.5 or later, which automatically includes the patched checkpoint library.

The upgrade process remains straightforward with no import changes necessary.

Given the high severity rating and ease of exploitation, immediate patching is critical. Organizations should prioritize langgraph-checkpoint version 3.0.0 upgrades in their security schedules.

The update presents minimal implementation friction while effectively eliminating this critical vulnerability.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today

The post Critical Flaw in LangGraph Allows Remote Code Execution via Deserialization appeared first on Cyber Security News.