Deserialization in Langchain-ai Langgraph

CVE-2025-64439

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 2.1.2 and below, the JsonPlusSerializer (used as the default serialization protocol for all…

Vulnerability class: Insecure Deserialization

EPSS: 0.008 (52.8th percentile) — read the EPSS interpretation.

Affected products

Langchain-ai Langgraph — versions < 3.0.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)
security-advisories@github.com (x_refsource_MISC)