AI Threat Alert
If your team uses LangGraph with SQLite checkpointing (langgraph-checkpoint-sqlite ≤2.0.10), upgrade to 2.0.11 immediately — the filter operators are vulnerable to SQL injection that can expose every API key, credential, and document in your checkpoint store. Assume any application-layer query filtering that reaches LangGraph's SQLite store is a potential injection point, audit what sensitive data your agents are persisting in state, and rotate any credentials that may have passed through the checkpoint store. This is a straightforward patch with no architectural changes required.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langgraph-checkpoint-sqlite | pip | <= 2.0.10 | 2.0.11 |
Do you use langgraph-checkpoint-sqlite? You're affected.
Severity & Risk
Recommended Action
- 1. PATCH: Upgrade langgraph-checkpoint-sqlite to ≥2.0.11 immediately. Verify: pip show langgraph-checkpoint-sqlite | grep Version. 2. AUDIT: Inventory all services using the vulnerable version — scan requirements.txt, pyproject.toml, and lock files across your AI stack. 3. ROTATE: Treat any API keys, tokens, or credentials ever stored in LangGraph SQLite checkpoints as potentially compromised; rotate them proactively. 4. HARDEN: Never store raw credentials in agent state or checkpoints; reference secrets via vault integrations (e.g., AWS Secrets Manager, HashiCorp Vault). 5. DETECT: Review application logs for filter queries containing SQL metacharacters (single quotes, semicolons, UNION, OR 1=1 patterns) against LangGraph endpoints. 6. WORKAROUND (if patching is blocked): Validate and allowlist filter operator values at the application layer before they reach LangGraph store methods.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
A SQL injection vulnerability exists in the langchain-ai/langchain repository, specifically in the LangGraph's SQLite store implementation. The affected version is langgraph-checkpoint-sqlite 2.0.10. The vulnerability arises from improper handling of filter operators ($eq, $ne, $gt, $lt, $gte, $lte) where direct string concatenation is used without proper parameterization. This allows attackers to inject arbitrary SQL, leading to unauthorized access to all documents, data exfiltration of sensitive fields such as passwords and API keys, and a complete bypass of application-level security filters.
Exploitation Scenario
An attacker identifies an application built on LangGraph that exposes a checkpoint retrieval endpoint accepting metadata filter parameters (e.g., GET /api/history?filter[$eq]=value). Instead of a legitimate value, they inject a SQL payload such as ' OR '1'='1' --. The unparameterized string concatenation in the SQLite store executes the query returning all checkpoint records, defeating user-scoped isolation entirely. For targeted credential exfiltration, the attacker chains UNION SELECT statements to extract specific fields — API keys, session tokens, or passwords stored by the agent during prior tool calls — then exfiltrates them out of band. The attacker then uses harvested API keys to pivot into integrated services (LLM providers, databases, SaaS tools) the agent had access to, achieving lateral movement beyond the original LangGraph deployment.
Weaknesses (CWE)
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N References
- huntr.com/bounties/9793f4b3-76f8-44a4-989f-49a2177ee118
- github.com/advisories/GHSA-4h97-wpxp-3757
- github.com/langchain-ai/langgraph/commit/bc9d45b476101e441cb1cc602dea03eb29232de4
- github.com/langchain-ai/langgraph/pull/5666
- github.com/langchain-ai/langgraph/releases/tag/checkpointsqlite%3D%3D2.0.11
- huntr.com/bounties/9793f4b3-76f8-44a4-989f-49a2177ee118
- nvd.nist.gov/vuln/detail/CVE-2025-8709
- huntr.com/bounties/9793f4b3-76f8-44a4-989f-49a2177ee118