CVE-2025-67644
HIGH
GHSA-9rwj-6rc7-p77c
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
4Description
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1.
Analysis
A SQL injection vulnerability exists in LangGraph SQLite Checkpoint, an implementation of LangGraph CheckpointSaver for SQLite databases. The vulnerability affects versions 3.0.0 and below of the langgraph-checkpoint-sqlite Python package, allowing attackers with local access and low privileges to manipulate SQL queries through unvalidated metadata filter keys in checkpoint search operations. A proof-of-concept exploit is publicly available, though the EPSS score of 0.02% (6th percentile) suggests minimal active exploitation in the wild currently.
Technical Context
LangGraph SQLite Checkpoint (cpe:2.3:a:langchain:langgraph-checkpoint-sqlite) is a Python library that provides both synchronous and asynchronous SQLite-based checkpoint persistence for LangGraph applications. The vulnerability stems from CWE-89 (SQL Injection) in the _metadata_predicate() function, which constructs SQL queries by directly interpolating user-supplied metadata filter keys into f-strings without any input validation or sanitization. This classic SQL injection flaw allows attackers to inject arbitrary SQL commands not through filter values (which may be parameterized), but through the filter keys themselves, bypassing common SQL injection defenses that focus on query parameter sanitization.
Affected Products
LangChain's langgraph-checkpoint-sqlite Python package versions 3.0.0 and below are affected by this vulnerability. The affected product is confirmed via CPE identifier cpe:2.3:a:langchain:langgraph-checkpoint-sqlite:*:*:*:*:*:python:*:*. This includes both the synchronous SQLite and asynchronous aiosqlite implementations of the LangGraph CheckpointSaver interface. The vendor security advisory is available at https://github.com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77c with additional technical details and exploit demonstration.
Remediation
Upgrade langgraph-checkpoint-sqlite to version 3.0.1 or later, which includes input validation fixes for the _metadata_predicate() function as documented in commit 297242913f8ad2143ee3e2f72e67db0911d48e2a (https://github.com/langchain-ai/langgraph/commit/297242913f8ad2143ee3e2f72e67db0911d48e2a). If immediate patching is not feasible, implement strict input validation and allowlisting on all metadata filter keys before they reach the checkpoint search operations, ensuring only expected and safe key names are accepted. Applications should never accept arbitrary user-supplied strings as metadata filter keys without validation. Review application code to identify all checkpoint search operations that accept external input and apply principle of least privilege to database connections used by the checkpoint implementation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today