The flaw CVE-2025-64439 affects versions of langgraph-checkpoint before 3.0. It allows attackers to execute arbitrary Python code when untrusted data is deserialized.
The vulnerability resides in LangGraph’s JsonPlusSerializer, the default serialization protocol used for checkpoint persistence.
When the serializer encounters illegal Unicode surrogate values during msgpack serialization, it automatically falls back to JSON mode.
In this fallback state, the deserializer supports a constructor-style format that reconstructs custom objects during loading.
The flaw carries a CVSS score of 8.5, classified as “High” severity. It falls under CWE-502, which covers deserialization of untrusted data vulnerabilities.
An attacker can exploit this mechanism to inject malicious payloads that execute arbitrary functions when deserialized.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-64439 |
| Vulnerability Type | Remote Code Execution (RCE) |
| Component | LangGraph JsonPlusSerializer |
| Affected Versions | langgraph-checkpoint < 3.0 |
| Patched Versions | langgraph-checkpoint >= 3.0 |
| Severity | High (7.5 CVSS v4) |
| Attack Vector | Network |
The vulnerability primarily affects applications that meet two conditions: They allow untrusted or user-supplied data to be persisted into checkpoints, and they use the default JsonPlusSerializer (or explicitly instantiate it).
Applications processing only trusted data face significantly lower practical risk. LangGraph-API deployments running version 0.5 or later are unaffected.
Attackers can weaponize this vulnerability through a carefully crafted proof-of-concept. That injects a malicious payload structured with specific JSON elements: an “lc” value of 2, a “type” set to “constructor,” and an “id” field pointing to dangerous system functions like “os.system.”
When the compromised checkpoint is loaded, the deserialization process automatically executes the embedded command.
LangChain has released langgraph-checkpoint version 3.0 to address this issue.
The fix implements an allow-list for constructor deserialization, restricting permissible paths to explicitly approved module and class combinations.
Additionally, saving payloads in JSON format has been deprecated to eliminate this unsafe fallback mechanism. Users should upgrade immediately to version 3.0 or later.
The update maintains full compatibility with langgraph 0.3. It requires no code modifications or import changes, making the patching process straightforward and low-risk for most deployments.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post LangGraph Vulnerability Allows Malicious Python Code Execution During Deserialization appeared first on Cyber Security News.
A newly identified malware campaign is raising serious concerns across the cybersecurity community by delivering…
A newly identified malware campaign is raising serious concerns across the cybersecurity community by delivering…
Security researchers have uncovered a highly sophisticated attack campaign that weaponizes a legitimate, digitally signed…
Security researchers have uncovered a highly sophisticated attack campaign that weaponizes a legitimate, digitally signed…
FORT WAYNE, Ind. (WOWO) — Indiana will see a short-lived stretch of improving and warmer…
FORT WAYNE, Ind. (WOWO) — A Roanoke woman has been sentenced to decades behind bars…
This website uses cookies.