What is the CVSS score of CVE-2025-67644?

CVE-2025-67644 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Langgraph Checkpoint Sqlite are affected by CVE-2025-67644?

Organizations using LangGraph SQLite Checkpoint face moderate risk from CVE-2025-67644, a SQL injection vulnerability rated CVSS 7.3.. A patch is available.

Is there a public PoC exploit available for CVE-2025-67644?

Yes, a public proof-of-concept exploit is available for CVE-2025-67644. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-67644?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Langgraph Checkpoint Sqlite CVE-2025-67644

HIGH

SQL Injection (CWE-89)

2025-12-11 security-advisories@github.com

GHSA-9rwj-6rc7-p77c

SQLi Langgraph Checkpoint Sqlite

7.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.3 HIGH

AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

Patch released

Mar 17, 2026 - 20:45 nvd

Patch available

PoC Detected

Mar 17, 2026 - 19:47 vuln.today

Public exploit code

CVE Published

Dec 11, 2025 - 00:16 nvd

HIGH 7.3

DescriptionGitHub Advisory

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1.

AnalysisAI

A SQL injection vulnerability exists in LangGraph SQLite Checkpoint, an implementation of LangGraph CheckpointSaver for SQLite databases. The vulnerability affects versions 3.0.0 and below of the langgraph-checkpoint-sqlite Python package, allowing attackers with local access and low privileges to manipulate SQL queries through unvalidated metadata filter keys in checkpoint search operations. A proof-of-concept exploit is publicly available, though the EPSS score of 0.02% (6th percentile) suggests minimal active exploitation in the wild currently.

Technical ContextAI

LangGraph SQLite Checkpoint (cpe:2.3:a:langchain:langgraph-checkpoint-sqlite) is a Python library that provides both synchronous and asynchronous SQLite-based checkpoint persistence for LangGraph applications. The vulnerability stems from CWE-89 (SQL Injection) in the _metadata_predicate() function, which constructs SQL queries by directly interpolating user-supplied metadata filter keys into f-strings without any input validation or sanitization. This classic SQL injection flaw allows attackers to inject arbitrary SQL commands not through filter values (which may be parameterized), but through the filter keys themselves, bypassing common SQL injection defenses that focus on query parameter sanitization.

RemediationAI

Upgrade langgraph-checkpoint-sqlite to version 3.0.1 or later, which includes input validation fixes for the _metadata_predicate() function as documented in commit 297242913f8ad2143ee3e2f72e67db0911d48e2a (https://github.com/langchain-ai/langgraph/commit/297242913f8ad2143ee3e2f72e67db0911d48e2a). If immediate patching is not feasible, implement strict input validation and allowlisting on all metadata filter keys before they reach the checkpoint search operations, ensuring only expected and safe key names are accepted. Applications should never accept arbitrary user-supplied strings as metadata filter keys without validation. Review application code to identify all checkpoint search operations that accept external input and apply principle of least privilege to database connections used by the checkpoint implementation.

CVE-2025-67644 vulnerability details – vuln.today

Back